Volatility Memory Forensics | Federal Trojan aka R2D2

Updated 2013-08-16
Thx to Jared Atkinson

Last weekend, the German based Chaos Computer Club (CCC) published details on a backdoor trojan they claimed was being used by German authorities, in violation of German law.

Fore more info on German State Backdoor go to:
Possible Governmental Backdoor Found
More Info on German State Backdoor
Several German states admit to use of controversial spy software

Download:
Here’s a memory image running the malware (Thx to jwcsr):
0zapftis.rar
PW: infected

1.) Image Identification

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem imageinfo

imageinfo

2.) Processes

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem pslist

pslist

3.) Networking

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem connscan

connscan

One active connection to the IP address 172.16.98.1 on port 6666 is listed. According to the process list, the process ID 1956 don’t belong to a browser process, such as Iexplore.exe or Firefox.exe, but rather to Explorer.exe. What is this system process doing on the internet?

Note:
The Chaos Computer Club modified the binary. The original IP address of the proxy is 207.158.22.134 on port 443.

4.) Researching IP Addresses

$ whois 207.158.22.134

whois

$ whois 83.236.140.90

whois

5.) Malware Detection
Now, it’s time for the Volatility plug-in malware.py, which was originally developed for the Malware Analyst’s Cookbook. The function ‘apihooks’ looks at the Explorer process with the PID 1956 and finds nothing. No inline hooks!

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 apihooks

apihooks

6.) Let’s try the function ‘malfind’ and the open source YARA project.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -p 1956 -Y /home/evild3ad/yara-rules/malware.yara -D /home/evild3ad/Volatility/dump-files malfind

YARA

7.) VirusTotal
The plugin ‘malfind’ dropped the suspicious PE file it discovered to my output directory as .dmp file. I submitted it to VirusTotal, and bingo, it is malicious and identified as ‘R2D2’ and ‘Bundestrojaner’. 😉

VirusTotal

8.) Registry
The registry is spread across numerous files called ‘hives’. The current user’s registry branch, HKEY Current User (HKCU), is located in the hidden file NTUSER.DAT of the home directory under \Documents and Settings\. There are two more important branches: HKEY Local Machine (HKLM) and the sub-branch for software in \Windows\system32\config. But first, we need to have ‘hivelist’ display where Windows put the files into memory.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem hivelist

hivelist

Volatility finds HKCU at the virtual address 0xe1bb2b60 and HKLM/Software at the virtual address 0xe1544b60. With this information, we can now use ‘printkey’ to display individual keys and work through the autorun list. After a few dead ends, I notice something suspicious about ‘HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows’.

$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1544b60 -K 'Microsoft\Windows NT\CurrentVersion\Windows'

Registry

All the DLLs that are specified in this value are loaded by each Microsoft Windows-based application that is running in the current log on session.

I used Volatility’s cmdscan plugin which returns the command history buffer from csrss.exe on XP systems. This plugin provided two results “sc query malwar” and “sc query malware”. These commands are what prompted my look into the services key.

$ python vol.py -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem cmdscan

cmdscan

When you look in the HKLM\SYSTEM\ControlSet001\Services key you will find a subkey called ‘malware’.

$ python vol.py printkey -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem -o 0xe1018388 -K 'ControlSet001\Services\malware'

This key represents a registered service. The value is set to ‘1’ which specifies that the driver is loaded at kernel initialization. This tells us that the ‘malware’ service, which points to the kernel driver (C:\WINDOWS\system32\drivers\winsys32.sys), starts at kernel initialization.

Kernel Initialization

09.) Kernel Objects

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem filescan > filescan.txt

filescan

10.) Kernel Drivers

$ python vol.py --profile=WinXPSP3x86 -f /home/evild3ad/memory-samples/other/R2D2/0zapftis.vmem modules

Windows-Kernel-Modul

Links:
Chaos Computer Club analysiert Staatstrojaner
Addendum Staatstrojaner
Piratenpartei Deutschland: Schreiben des bayrischen Justizministeriums als PDF
Friedrich-Alexander-Universität Erlangen-Nürnberg: Analyse und Vergleich von BckR2D2-I und II

This Post Has 5 Comments

  1. […] => Federal Trojan’s got a « Big Brother ». 18/10/2011. «About two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect’s PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look (…).» Source : http://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_Brother Billets en relation : 16/10/2011. Volatility Memory Forensics | Federal Trojan aka R2D2 : http://www.evild3ad.com/?p=1136 […]

  2. Additionally, if you look in the HKLMSYSTEMControlSet001Services key you will find a subkey called malware. This key represents a registered service that is set to type 1 which according to MSDN “Represents a driver to be loaded at Kernel initialization.” This tells us that the malware service, which points to C:windowssystem32driverswinsys32.sys, starts at Kernel initialization.

  3. Martin one last thing I forgot to mention was the method I used to tip me off to the “malware” service. I used volatility’s cmdscan plugin which returns the command history buffer from csrss.exe on XP systems. This plugin provided two results “sc query malwar” & “sc query malware”. These commands are what prompted my look into the services key.

    Great write up!

Comments are closed.