Updated 2013-08-16

Thx to Jared Atkinson

Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.

Fore more info on German State Backdoor go to:

Possible Governmental Backdoor Found

More Info on German State Backdoor

Several German states admit to use of controversial spy software

Download:

Here’s a memory image running the malware (Thx to jwcsr):

0zapftis.rar

PW: infected

1.) Image Identification

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem imageinfo

2.) Processes

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem pslist

3.) Networking

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem connscan

One active connection to the IP address 172.16.98.1 on port 6666 is listed. According to the process list, the process ID 1956 don’t belong to a browser process, such as Iexplore.exe or Firefox.exe, but rather to Explorer.exe. What is this system process doing on the internet?

Note:

The Chaos Computer Club modified the binary. The original IP address of the proxy is 207.158.22.134 on port 443.

4.) Researching IP Addresses

$ whois 207.158.22.134

$ whois 83.236.140.90

5.) Malware Detection

Now, it’s time for the Volatility plug-in malware.py, which was originally developed for the Malware Analyst’s Cookbook. The function ‘apihooks’ looks at the Explorer process with the PID 1956 and finds nothing. No inline hooks!

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 apihooks





6.) Let’s try the function ‘malfind’ and the open source YARA project.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 -Y /home/evild3ad/yara-rules/malware.yara -D /home/evild3ad/Volatility/dump-files malfind

7.) VirusTotal

The plugin ‘malfind’ dropped the suspicious PE file it discovered to my output directory as .dmp file. I submitted it to VirusTotal, and bingo, it is malicious and identified as ‘R2D2’ and ‘Bundestrojaner’. 😉





8.) Registry

The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem hivelist

Volatility finds HKCU at the virtual address 0xe1bb2b60 and HKLM/Software at the virtual address 0xe1544b60. With this information, we can now use ‘printkey’ to display individual keys and work through the autorun list. After a few dead ends, I notice something suspicious about ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows’.

$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1544b60 -K 'Microsoft\Windows NT\CurrentVersion\Windows'

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

I used Volatility’s cmdscan plugin which returns the command history buffer from csrss.exe on XP systems. This plugin provided two results “sc query malwar” and “sc query malware”. These commands are what prompted my look into the services key.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem cmdscan

When you look in the HKLM\SYSTEM\ControlSet001\Services key you will find a subkey called ‘malware’.

$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1018388 -K 'ControlSet001\Services\malware'

This key represents a registered service. The value is set to ‘1’ which specifies that the driver is loaded at kernel initialization. This tells us that the ‘malware’ service, which points to the kernel driver (C:\WINDOWS\system32\drivers\winsys32.sys), starts at kernel initialization.





09.) Kernel Objects

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem filescan > filescan.txt





10.) Kernel Drivers

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem modules

Links:

Chaos Computer Club analysiert Staatstrojaner

Addendum Staatstrojaner

Piratenpartei Deutschland: Schreiben des bayrischen Justizministeriums als PDF

Friedrich-Alexander-Universität Erlangen-Nürnberg: Analyse und Vergleich von BckR2D2-I und II