[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Edward Fjellskål edwardfjellskaal at gmail.com
Sun Oct 9 09:55:35 EDT 2011


Maybe also:



alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"German Gov is on to
you! Run"; flow:from_client,established; content:"|11 26 80 7c ff ff ff
ff 00 26 80 7c 42 25 80 7c|"; classtype:trojan-activity;
reference:url,ccc.de/en/updates/2011/staatstrojaner; sid:123456788; rev:1;)


On 10/09/2011 03:53 PM, Edward Fjellskål wrote:
> I wrote this sig on #snort today:
> 
> 07:57 < ebf0> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"German
> Gov is on to you! Run"; flow:from_client,established;
> content:"C3PO-r2d2-POE"; depth:13; classtype:trojan-activity;
> reference:url,ccc.de/en/updates/2011/staatstrojaner; sid:123456789; rev:1;)
> 
> 
> 07:59 < ebf0> you might also sig on "|11 26 80 7c ff ff ff ff 00 26 80
> 7c 42 25 80 7c|"
> 07:59 < ebf0> (the ping/pong packets)
> 07:59 < ebf0> client to server that is
> 
> 
> 
> E
> 
> On 10/09/2011 01:39 PM, Mex wrote:
>>
>> very nice reverse-engineering, if so.
>> the ccc-website provides some samples to of this malware and it might
>> be possible to detect and create sigs based on network-traffic
>> (although talking via port 443 the trojan is not speaking ssl)
>>
>>
>> http://www.ccc.de/en/updates/2011/staatstrojaner
>> http://www.ccc.de/de/updates/2011/staatstrojaner
>> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
>> http://www.f-secure.com/weblog/archives/00002249.html
>> http://www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html
>> http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545
>>
>>
>> #
>> alert tcp 83.236.140.90 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2";
>> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
>>
>> #
>> alert tcp $HOME_NET any -> 83.236.140.90 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2";
>> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
>>
>> #
>> alert tcp 207.158.22.134 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1";
>> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
>>
>> #
>> alert tcp $HOME_NET any -> 207.158.22.134 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1";
>> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
>>
>>
>>
>> for the records: i'm still not convinced that this is not a hoax.
>>
>>
>> mex
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
> 



More information about the Emerging-sigs mailing list