[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Markus Manzke mm at mare-system.de
Tue Oct 11 16:17:44 EDT 2011


if i read correctly this is some kinde of
idle-status, send from the malware;

depth 16 seems to be wrong, the is some kind
of header before:


first bytes:
00000   43 33 50 4f 2d 72 32 64 32 2d 50 4f 45 00 99 96 C3PO-r2d2-POE
00010   07 00 00 00 1b c7 9b dc 5d 88 3d e1 57 a6 dd 7c      ]=W |
00020   32 33 43 43 43 32 33 00 35 0f d8 04 a1 c2 f2 df 23CCC23 5
...

idle-status
00000 11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c .&.|.....&.|B%.|

i'm not quite sure if this answer is encrypted
or not; i hoped ETPro would like to play
with the rootkit and the provided remote-control
and deliver a sig against the c&c-communication


read the pdf (english version available), quite interesting.




Am 11.10.2011 22:00, schrieb Will Metcalf:
> Can we set depth:16; on this bad-boy? :)
>
> Regards,
>
> Will
>
> On Tue, Oct 11, 2011 at 2:49 PM, Edward Fjellskål
> <edwardfjellskaal at gmail.com> wrote:
>> On 10/11/2011 08:10 PM, Markus Manzke wrote:
>>>
>>> ist this the encrypted handshake-attempt?
>>>
>>>> |11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|
>>
>> >From what I read from the pdf, it was the "ping/Pong" packets?
>>
>> E


More information about the Emerging-sigs mailing list