[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 11 06:23:35 EDT 2011


We'll get them posted, this ought to be interesting!

THanks all

Matt


On Oct 9, 2011, at 9:55 AM, Edward Fjellskål wrote:

> 
> Maybe also:
> 
> 
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"German Gov is on to
> you! Run"; flow:from_client,established; content:"|11 26 80 7c ff ff ff
> ff 00 26 80 7c 42 25 80 7c|"; classtype:trojan-activity;
> reference:url,ccc.de/en/updates/2011/staatstrojaner; sid:123456788; rev:1;)
> 
> 
> On 10/09/2011 03:53 PM, Edward Fjellskål wrote:
>> I wrote this sig on #snort today:
>> 
>> 07:57 < ebf0> alert tcp $HOME_NET any -> $EXTERNAL_NET 443 (msg:"German
>> Gov is on to you! Run"; flow:from_client,established;
>> content:"C3PO-r2d2-POE"; depth:13; classtype:trojan-activity;
>> reference:url,ccc.de/en/updates/2011/staatstrojaner; sid:123456789; rev:1;)
>> 
>> 
>> 07:59 < ebf0> you might also sig on "|11 26 80 7c ff ff ff ff 00 26 80
>> 7c 42 25 80 7c|"
>> 07:59 < ebf0> (the ping/pong packets)
>> 07:59 < ebf0> client to server that is
>> 
>> 
>> 
>> E
>> 
>> On 10/09/2011 01:39 PM, Mex wrote:
>>> 
>>> very nice reverse-engineering, if so.
>>> the ccc-website provides some samples to of this malware and it might
>>> be possible to detect and create sigs based on network-traffic
>>> (although talking via port 443 the trojan is not speaking ssl)
>>> 
>>> 
>>> http://www.ccc.de/en/updates/2011/staatstrojaner
>>> http://www.ccc.de/de/updates/2011/staatstrojaner
>>> http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf
>>> http://www.f-secure.com/weblog/archives/00002249.html
>>> http://www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html
>>> http://www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545
>>> 
>>> 
>>> #
>>> alert tcp 83.236.140.90 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-2";
>>> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
>>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
>>> 
>>> #
>>> alert tcp $HOME_NET any -> 83.236.140.90 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-2";
>>> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
>>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:2;)
>>> 
>>> #
>>> alert tcp 207.158.22.134 any -> $HOME_NET any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Inbound SRV-1";
>>> flow:established,to_server; threshold:type limit, track by_src, count 1, seconds 60;
>>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
>>> 
>>> #
>>> alert tcp $HOME_NET any -> 207.158.22.134 any (msg:"Bundestrojaner (W32/R2D2 BTrojan) Outbound SRV-1";
>>> flow:established,to_server; threshold:type limit, track by_dst, count 1, seconds 60;
>>> classtype:trojan-activity;  reference:url,www.ccc.de/de/updates/2011/staatstrojaner;
>>> reference:url,www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf;
>>> reference:url,www.f-secure.com/weblog/archives/00002249.html;
>>> reference:url,www.heise.de/newsticker/meldung/CCC-knackt-Staatstrojaner-1357670.html;
>>> reference:url,www.virustotal.com/file-scan/report.html?id=be36ce1e79ba6f97038a6f9198057abecf84b38f0ebb7aaa897fd5cf385d702f-1318152545;
>>> reference:url,www.ccc.de/en/updates/2011/staatstrojaner; sid:XXXXXXX; rev:3;)
>>> 
>>> 
>>> 
>>> for the records: i'm still not convinced that this is not a hoax.
>>> 
>>> 
>>> mex
>>> 
>>> 
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at emergingthreats.net
>>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>> 
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
>>> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!
>> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreatspro.com
> The ONLY place to get complete premium rulesets for Snort 2.4.0 through Current!


----------------------------------------------------
Matt Jonkman
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 866-504-2523 x110
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4364 bytes
Desc: not available
Url : http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20111011/2c49d3f7/smime.bin


More information about the Emerging-sigs mailing list