[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Edward Fjellskål edwardfjellskaal at gmail.com
Sun Oct 9 09:53:50 EDT 2011


I wrote this sig on #snort today:

07:57 < ebf0> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"German
Gov is on to you! Run"; flow:from_client,established;
content:"C3PO-r2d2-POE"; depth:13; classtype:trojan-activity;
reference:url,ccc.de/en/updates/2011/staatstrojaner; sid:123456789; rev:1;)


07:59 < ebf0> you might also sig on "|11 26 80 7c ff ff ff ff 00 26 80
7c 42 25 80 7c|"
07:59 < ebf0> (the ping/pong packets)
07:59 < ebf0> client to server that is



E

On 10/09/2011 01:39 PM, Mex wrote:
> 
> very nice reverse-engineering, if so.
> the ccc-website provides some samples to of this malware and it might
> be possible to detect and create sigs based on network-traffic
> (although talking via port 443 the trojan is not speaking ssl)
> 
> 
> http://www.ccc.de/en/updates/2011/staatstrojaner
> http://www.ccc.de/de/updates/2011/staatstrojaner
> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
> http://www.f-secure.com/weblog/archives/00002249.html
> http://www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html
> http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545
> 
> 
> #
> alert tcp 83.236.140.90 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2";
> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
> reference:url,www.f-secure.com/weblog/archives/00002249.html;
> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
> 
> #
> alert tcp $HOME_NET any -> 83.236.140.90 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2";
> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
> reference:url,www.f-secure.com/weblog/archives/00002249.html;
> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
> 
> #
> alert tcp 207.158.22.134 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1";
> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
> reference:url,www.f-secure.com/weblog/archives/00002249.html;
> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
> 
> #
> alert tcp $HOME_NET any -> 207.158.22.134 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1";
> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
> reference:url,www.f-secure.com/weblog/archives/00002249.html;
> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
> 
> 
> 
> for the records: i'm still not convinced that this is not a hoax.
> 
> 
> mex
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!



More information about the Emerging-sigs mailing list