Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.
Fore more info on German State Backdoor go to:
Possible Governmental Backdoor Found
More Info on German State Backdoor
Several German states admit to use of controversial spy software
Here’s a memory image running the malware (Thx to jwcsr): 0zapftis.rar
1.) Image Identification
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem imageinfo
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem pslist
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem connscan
One active connection to the IP address 172.16.98.1 on port 6666 is listed. According to the process list, the process ID 1956 don’t belong to a browser process, such as Iexplore.exe or Firefox.exe, but rather to Explorer.exe. What is this system process doing on the internet?
The Chaos Computer Club modified the binary. The original IP address of the proxy is 126.96.36.199 on port 443.
4.) Researching IP Addresses
$ whois 188.8.131.52
$ whois 184.108.40.206
5.) Malware Detection
Now, it’s time for the Volatility plug-in malware.py, which was originally developed for the Malware Analyst’s Cookbook. The function ‘apihooks’ looks at the Explorer process with the PID 1956 and finds nothing. No inline hooks!
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 apihooks
6.) Let’s try the function ‘malfind’ and the open source YARA project.
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 -Y /home/evild3ad/yara-rules/malware.yara -D /home/evild3ad/Volatility/dump-files malfind
The plugin ‘malfind’ dropped the suspicious PE file it discovered to my output directory as .dmp file. I submitted it to VirusTotal, and bingo, it is malicious and identified as ‘R2D2′ and ‘Bundestrojaner’.
The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.
$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem hivelist
Volatility finds HKCU at the virtual address 0xe1bb2b60 and HKLM/Software at the virtual address 0xe1544b60. With this information, we can now use ‘printkey’ to display individual keys and work through the autorun list. After a few dead ends, I notice something suspicious about ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows’.
$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1544b60 -K ‘Microsoft\Windows NT\CurrentVersion\Windows’
All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.
09.) Kernel Objects
$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem filescan > filescan.txt
10.) Kernel Drivers
$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem modules