Malicious Code Alert

Backdoor:W32/R2D2.A

 
Threat Type:CWE-119: Buffer Errors
IntelliShield ID:24352
Version:1
First Published:2011 October 13 18:21 GMT
Last Published:2011 October 13 18:21 GMT
Port: 443
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:Backdoor:W32/R2D2.A is a trojan that attempts to infect Microsoft Windows platforms.  The trojan has features to log keystrokes, take screenshots within regular intervals, record or stream encrypted Skype audio calls, decrypt SSL traffic, anonymize source identifiers using proxy servers, and initiate remote malware download.
 
Aliases/Variants

R2D2, 0zapftis, scuinst.exe, Bundestrojaner

Virus Name:

Backdoor:W32/R2D2.A, (Aliases include TR/GruenFink.2 (AntiVir), Trojan.BTroj-1 (ClamAV), BackDoor.RTwoDTwo.1 (DrWeb), Backdoor:W32/R2D2.A (F-Secure), Backdoor.Win32.R2D2.a (Kaspersky), Artemis!D6791F5AA623 (McAfee), Troj/BckR2D2-A (Sophos), Backdoor.Earltwo (Symantec), BKDR_R2D2.A (TrendMicro)).

 

Description
 

Backdoor:W32/R2D2.A is a trojan that attempts to infect Microsoft Windows platforms.  The trojan has features to log keystrokes, take screenshots within regular intervals, record or stream encrypted Skype audio calls, decrypt SSL traffic, anonymize source identifiers using proxy servers, and initiate remote application download.

The scuinst.exe variant of the trojan could allow interception of Skype audio calls via an embedded Skype Capture Unit Installer module.  The trojan uses a variant of Man-in-the-Middle attack to obtain sensitive key material and cryptographic metadata used by Skype to encrypt and decrypt audio calls.

Backdoor:W32/R2D2.A could access the following locations to obtain remote updates or to retrieve additional instructions:

207.158.22.134
83.236.140.90

The trojan infects the Windows kernel driver, winsys32.sys, by injecting a malicious DLL file, mfc42ul.dll, at the following location: C:\windows\system32\

The trojan modifies the following Registry key to initiate autoload during Windows startup:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

Virus definitions are available.


Impact
 

Backdoor:W32/R2D2.A is a trojan that could log keystrokes, take screenshots within regular intervals, record or stream encrypted Skype audio calls, decrypt SSL traffic, anonymize source identifiers using proxy servers, and initiate remote application download.


Warning Indicators
 

The following system changes may indicate the presence of this trojan:

The presence of the following file:

C:\windows\system32\mfc42ul.dll

The modification of the following registry key to include the malicious DLL file:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs


Technical Information
 

Backdoor:W32/R2D2.A modifies the following registry key to load the malicious DLLs as services upon system boot:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

The trojan uses AES with Electronic Code Book (ECB) encryption mode to encrypt responses to a Command-and-Control server.  The AES key has been found to be:

49 03 93 08 19 94 96 94 28 93 83 04 68 28 A8 F5
0A B9 94 02 45 81 93 1F BC D7 F3 AD 93 F5 32 93

It listens for 1 byte command identifiers from the server and responds with 16 byte response codes.  Specific response code have been identified:

0x11 - Idle feedback
0x16 - JPEG-encoded screenshot being sent
0x23 - Executable has been executed
0x28 - No screenshot available

The trojan could be installed on the targeted system by convincing a user to open malicious e-mail attachments or by drive-by download attacks.  Once installed, the trojan attempts to connect to the Command-and-Control server at regular intervals.  It identifies itself to the server by sending a 64-byte plaintext header with C3PO r2d2-POE as its banner string.  When this initial authentication is complete, the server can send a 1-byte command identifier with a variable set of parameters to the trojan application.  The trojan responds with a 16-byte packet containing response code specific to the server's command identifiers.


IntelliShield Analysis
 

Backdoor:W32/R2D2.A could infect 32-bit Microsoft Windows platforms.  It could allow a remote attacker to obtain sensitive information by capturing screenshots of critical applications at regular intervals.  It could also allow the attacker to obtain access to sensitive VoIP traffic initiated from application like Skype.  Remote application execution is also facilitated and software updates to add new features or to circumvent detection could be introduced via automatic updates.

The string C3PO-r2d2-POE is used by the trojan to identify itself to the Command-and-Control server and hence the name R2D2 is used for this trojan.  This string could be leveraged by traffic analysis applications to detect infected systems.

The trojan uses a unidirectional AES encryption channel by just encrypting the responses initiated from the targeted system to the server.  As such plaintext command identifiers could be used to further detect infections of this trojan.

Reports indicate that the trojan uses weak ECB encryption mode, which could further increase the risk of disclosing sensitive information to a third-party by decrypting the information via techniques such as pattern recognition.

A hacker group called Chaos Computer Club (CCC) has been attributed with the discovery of this trojan.  The group claims that this trojan has been developed by the German government to perform covert monitoring.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan.  Rule-based firewalls are typically set up by an administrator for an entire network.  These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production.  Application-based firewalls are often found on client systems and can be configured to allow certain services and processes to access the Internet or local network.  These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.  Both types of firewalls may prevent malicious code from downloading updates or additional files.  The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention systems software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems.  This software can be configured to prevent this worm from attempting to execute its infection routines.  Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs.  Often users can choose whether to allow or deny the activity in question.  These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.  User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.


Safeguards
 

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations only.

Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.

Users are advised not to open e-mail messages from untrusted sources. Users are advised to verify the authenticity of unexpected files from trusted sources.

Users are advised to use caution when downloading and installing software.


Patches/Software
 

The F-Secure Virus Description for Backdoor:W32/R2D2.A is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
39866/0German Federal TrojanS6032011 Oct 19 
39866/1German Federal TrojanS6032011 Oct 19 
Cisco Small Business IPS
Signature IDSignature NameReleaseLatest Release Date
SBIPS2011-000321/German Federal TrojanSBIPS0000172011 Dec 09 
SBIPS2011-000322/German Federal TrojanSBIPS0000172011 Dec 09 
 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
Microsoft, Inc.Windows 7 for 32-bit systems Base, SP1
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Enterprise Edition Base, SP1, SP2 | Standard Edition Base, SP1, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows Vista Home Basic Base, SP1, SP2 | Home Premium Base, SP1, SP2 | Business Base, SP1, SP2 | Enterprise Base, SP1, SP2 | Ultimate Base, SP1, SP2
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Tablet PC Edition Base, 2005 | Media Center Edition Base, 2005




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield