On October 9th a German hacker group going by the name of the Chaos Computer Club (CCC) published an analysis of what they claim to be government spying software. The analysis is a 20 page PDF file describing how the software works. In addition, CCC made available a copy of the software on their website in the form of a .dll file and a .sys file (driver file). The CCC has not offered any proof of their claims that these are government affiliated samples.
Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.
The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It includes functionality to take screenshots of the desktop and upload this to a remote command and control (C&C) server.
Stolen data is AES encrypted using a static key stored in the executable. Commands are retrieved from the C&C over TCP port 443 in plain text.
The accompanying driver file, winsys32.sys, contains code to implement a keylogger, but this code does not appear to get activated. The driver can be controlled from the .dll file in order to perform the following actions:
By: Gavin O Gorman
Symantec has performed an initial analysis on the samples and has confirmed much of the functionality as described in the CCC document. The samples are malware--which Symantec detects as Backdoor.R2D2--that opens a back door allowing a remote attacker to access the compromised computer.
The back door .dll file, mfc42ul.dll, monitors chat and VOIP applications and is able to intercept status changes in the software, such as an incoming or outgoing call. It includes functionality to take screenshots of the desktop and upload this to a remote command and control (C&C) server.
Stolen data is AES encrypted using a static key stored in the executable. Commands are retrieved from the C&C over TCP port 443 in plain text.
The accompanying driver file, winsys32.sys, contains code to implement a keylogger, but this code does not appear to get activated. The driver can be controlled from the .dll file in order to perform the following actions:
- Create files
- Write files
- Rename files
- Delete files
- Create/modify registry entries
By: Gavin O Gorman