[Emerging-Sigs] Sigs for Possible German Governmental Backdoor / R2D2.A (Bundestrojaner)

Will Metcalf william.metcalf at gmail.com
Tue Oct 11 16:27:21 EDT 2011


> read the pdf (english version available), quite interesting.

Link? I only see German...

Regards,

Will

On Tue, Oct 11, 2011 at 3:17 PM, Markus Manzke <mm at mare-system.de> wrote:
>
> if i read correctly this is some kinde of
> idle-status, send from the malware;
>
> depth 16 seems to be wrong, the is some kind
> of header before:
>
>
> first bytes:
> 00000   43 33 50 4f 2d 72 32 64 32 2d 50 4f 45 00 99 96 C3PO-r2d2-POE
> 00010   07 00 00 00 1b c7 9b dc 5d 88 3d e1 57 a6 dd 7c      ]=W |
> 00020   32 33 43 43 43 32 33 00 35 0f d8 04 a1 c2 f2 df 23CCC23 5
> ...
>
> idle-status
> 00000 11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c .&.|.....&.|B%.|
>
> i'm not quite sure if this answer is encrypted
> or not; i hoped ETPro would like to play
> with the rootkit and the provided remote-control
> and deliver a sig against the c&c-communication
>
>
> read the pdf (english version available), quite interesting.
>
>
>
>
> Am 11.10.2011 22:00, schrieb Will Metcalf:
>>
>> Can we set depth:16; on this bad-boy? :)
>>
>> Regards,
>>
>> Will
>>
>> On Tue, Oct 11, 2011 at 2:49 PM, Edward Fjellskål
>> <edwardfjellskaal at gmail.com> wrote:
>>>
>>> On 10/11/2011 08:10 PM, Markus Manzke wrote:
>>>>
>>>> ist this the encrypted handshake-attempt?
>>>>
>>>>> |11 26 80 7c ff ff ff ff 00 26 80 7c 42 25 80 7c|
>>>
>>> >From what I read from the pdf, it was the "ping/Pong" packets?
>>>
>>> E
>


More information about the Emerging-sigs mailing list