English
The Internet threat alert status is currently normal. At present, no major epidemics or other serious incidents have been recorded by Kaspersky Lab’s monitoring service. Internet threat level: 1

Federal Trojan's got a "Big Brother"

Tillmann Werner
Kaspersky Lab Expert
Posted October 18, 15:15  GMT
Tags: Rootkits, Targeted Attacks, x64, Keyloggers
0.8
 

About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.

The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.

Target Applications

Previous discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is:

  • explorer.exe
  • firefox.exe
  • icqlite.exe
  • lowratevoip.exe
  • msnmsgr.exe
  • opera.exe
  • paltalk.exe
  • simplite-icq-aim.exe
  • simppro.exe
  • sipgatexlite.exe
  • skype.exe
  • skypepm.exe
  • voipbuster.exe
  • x-lite.exe
  • yahoomessenger.exe

Code injection into target processes is carried out by the dropper, two user-mode components and also a 32 bit kernel driver with extended functionality compared to the version previously analyzed, which only provided an interface for registry and file system modifications. This new driver starts an additional thread that constantly loops over the current list of running processes and injects a DLL into each whose image name matches an entry from the following list:

List of target process names in the 32 bit kernel driver

Figure 1: List of target process names in the 32 bit kernel driver

All target processes we found in the different user-mode components are also covered by the driver.

There are two different DLL injection methods implemented. One works by registering the user-mode library in the Windows registry as an AppInit DLL so that it gets loaded during process creation. The second creates a remote thread in already running processes and injects a piece of position-independent code that maps the mfc42ul.dll file, one of the user-mode modules, into the target process memory. The following screen shot depicts the first couple of instructions of the injection code:

Position-independent code to load a DLL into a target process

Figure 2: Position-independent code to load a DLL into a target process

64 bit Kernel Driver

When the dropper installs the kernel-mode component, it derives the resource name from the architecture (either 32 or 64 bit) and installs an appropriate driver:

Code to determine and load the appropriate kernel driver for the architecture

Figure 3: Code to determine and load the appropriate kernel driver for the architecture

Contrary to the 32 bit version, the 64 bit driver does not contain any process infection functionality but only provides a rudimentary privilege escalation interface through file system and registry access. Similar to its brother, it creates a device and implements a basic protocol for communicating with user-mode applications.

Device creation routine in the 64 bit driver

Figure 4: Device creation routine in the 64 bit driver

It is well known that 64 bit kernel modules must carry a valid digital signature that can be checked by the operating system, or loading the driver fails. The driver that comes with the rootkit contains a 1024 bit RSA certificate (fingerprint e5445e4a 9c7d24c8 43f0c669 e2a8d3a1 78cf7fa8), issued by Goose Cert on April 11, 2010. However, the certificate must be installed and the trustworthiness must be confirmed in order to make the driver load.

Figure 5: Certificate from the 64 bit driver

All components are detected by Kaspersky as variants of the R2D2 trojan/rootkit. The dropper was previously heuristically detected and blocked by us as an invasive program.


3 comments

Oldest first
Threaded view
 

scusi

2011 Oct 18, 22:05
0
 

open questions

encryption
- is the new version using the same key as the known (old) variant?
-- if not:
--- is the key static within the binary, or is it configurable?
--- what is the actual key value?
- is there any difference in encryption of communication compared to the old version?
-- if so, can you please describe the differences
update
- can the new version update itself?
-- if so, any differences to the known version?
-- what are the differences?
functions
- is there any difference of functionality compared to the old/known version?
-- if so, what are the differences?
c c server/proxy
- any differences in the ip addresses the malware communicates with?
-- if so, in which country they are located?

All of the above questions are kind of important in germany for legal reasons. It would be great if you could answer them.

Thank you.

Edited by scusi, 2011 Oct 18, 23:25

Reply    

md5sum

2011 Oct 18, 23:45
0
 

md5sum(s) or it didn't happen

please provide md5sum(s) to claim your achievements

Reply    

secdown

2011 Oct 19, 03:09
0
 

No big difference to R2D2

> "Previous discussions of R2D2 mention Skype as a target application that is monitored by the trojan"

Trojan R2D2 also at least lists the following programs inside its code:

skype.exe
seamonkey.exe
navigator.exe
opera.exe
iexplore.exe
firefox.exe
%s~tmp%08x~.exe
SkypePM.exe
sipgatexlite.exe
x-lite.exe
yahoomessenger.exe
msnmsgr.exe
explorer.exe
SkypePM.exe
Skype.exe

Reply    
If you would like to comment on this article you must first
login


Bookmark and Share
Share

Analysis

Blog