0 Members and 1 Guest are viewing this topic.
Tillmann WernerKaspersky Lab ExpertPosted October 18, 15:15 GMTAbout two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.Target ApplicationsPrevious discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is: explorer.exe firefox.exe icqlite.exe lowratevoip.exe msnmsgr.exe opera.exe paltalk.exe simplite-icq-aim.exe simppro.exe sipgatexlite.exe skype.exe skypepm.exe voipbuster.exe x-lite.exe yahoomessenger.exe
QuoteTillmann WernerKaspersky Lab ExpertPosted October 18, 15:15 GMTAbout two weeks ago, the German Chaos Computer Club (CCC) has published an analysis report of a backdoor trojan that they claim had been used by German police during investigations in order to capture VoIP and IM communication on a suspect's PC. Our friends over at F-Secure published a blog post last week where they wrote about another file that, according to them, seemed to be the dropper component of the trojan. They were kind enough to share the MD5 hash of the file, so we could pull it from our collection. Stefan and I took a closer look.The dropper carries five other binaries in its resource table, so there are six components in total – each with a different purpose – all of which have been analyzed by us. Amongst the new things we found in there are two rather interesting ones: firstly, this version is not only capable of running on 32 bit systems; it also includes support for 64 bit versions of Windows. Secondly, the list of target processes to monitor is longer than the one mentioned in the CCC report. The number of applications infected by the various components is 15 in total.Target ApplicationsPrevious discussions of R2D2 mention Skype as a target application that is monitored by the trojan. The version analyzed by us indicates that Skype is targeted as well, but also all common web browsers, various instant messaging applications and voice-over-ip software, such as ICQ, MSN Messenger, Low-Rate Voip, paltalk, SimpPro, sipgate X-Lite, VoipBuster and Yahoo! Messenger. The list of process names is: explorer.exe firefox.exe icqlite.exe lowratevoip.exe msnmsgr.exe opera.exe paltalk.exe simplite-icq-aim.exe simppro.exe sipgatexlite.exe skype.exe skypepm.exe voipbuster.exe x-lite.exe yahoomessenger.exe https://www.securelist.com/en/blog/208193167/Federal_Trojan_s_got_a_Big_BrotherYou can read some more about Backdoor.R2D2.A here Backdoor.R2D2.A a.k.a “der Bundestrojaner”][Malware Review] Backdoor.R2D2.A a.k.a “der Bundestrojaner”Bid Defender has a x32 and x64 removal tool available for Backdoor.R2D2.A. Never hurts to be super caution with stuff like this and use something in addition to avast! to check your computer just to make sure.http://www.malwarecity.com/community/index.php?s=4c6187b94151981ea4a8e6865076d624&app=downloads&showcat=1
