Threat Spotlight

For the week of 13 Oct 2011
Threat 1

R2D2 Trojan maybe planted by German police

Threat Name:

Troj/BckR2D2-A

Users at Risk:

Windows users

Also Known As:

Avira TR/GruenFink.1
F-Secure Backdoor:W32/R2D2.A
McAfee Generic BackDoor!dr3
Microsoft Backdoor:Win32/R2d2.A
Symantec Backdoor.R2D2
Trend Micro BKDR_R2D2.Z

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/BckR2D2-A is a Trojan designed to record Skype conversations and to the eavesdrop on MSN Messenger and Yahoo Messenger chat clients. It also records screenshots and logs keystrokes in Internet Explorer, Firefox, Opera and SeaMonkey.

The Trojan was recently disclosed by a former suspect in a German government investigation who later reviewed the evidence used against him. The former suspect noticed screenshots from his computer and provided a copy of his hard drive to the Chaos Computer Club (CCC) in Germany.

The CCC used forensic software to recover deleted files and reverse engineered the functionality of the Trojan. On Saturday, 8th of October 2011, the CCC published a report on their webpage and made the files available to other researchers. The group alleges the Trojan was created by German authorities to spy on suspects.

Back in December 2010, a variant of this Trojan examined by Virus Total went undetected by antivirus products using traditional signature-based techniques. However, current security suites have additional features that Virus Total can't reflect.

For example, once the dropper is executed, Sophos Anti-Virus raises two HIPS alerts: HIPS/RegMod-013 and HIPS/ProcInj-001.

This is not a widespread Trojan and was probably only used on a handful of suspects. German law enforcement agencies have the authority to use such Trojans, but German law prohibits authorities from using a generic Trojan for all cases.

Threat 2

Trojan hides itself in recycle bin

Threat Name:

Troj/Agent-TRE

Users at Risk:

Windows users

Also Known As:

Avira TR/Gendal.kdv.374969.1
AVP Trojan-Spy.Win32.SpyEyes.qby
Microsoft Trojan:Win32/EyeStye.N
Trend Micro TSPY_ZBOT.EXPQ

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Agent-TRE is a backdoor Trojan for the Windows platform. It reduces the overall security of the system it infects and attempts to contact a remote server.

When first run Troj/Agent-TRE drops the files:

<WINDOWS>\[random_letters_numbers].exe
<WINDOWS>\[random_letters_numbers].tmp
<Root>\Recycle.Bin\[random_capital_letters_numbers].exe
<Root>\Recycle.Bin\[random_capital_letters_numbers]

The file [random_letters_numbers].exe is not detect worthy and [random_letters_numbers].tmp is an empty file.

The file <root>\Recycle.Bin\[random_capitals_letter_numbers].exe is a hidden copy of Troj/Agent-TRE.

Troj/Agent-TRE reduces the system security by altering the following registry keys:

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
ZoneNumbers: 1,3 & 4 (seen being changed)

HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones
ZoneNumbers: 1,3 & 4 (seen being changed)

The registry key values affected are:

  • 1406 Miscellaneous: Access data sources across domains. This setting sets permission for allowing scripts and applets to access databases across multiple domains.
  • 1609 Miscellaneous: Display mixed content. Permission to display both secure and non-secure content in the same page.

This setting controls the appearance of the following messages when Internet Explorer encounters a website that contains both secure (HTTPS) and nonsecure (HTTP) content:

HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\PhishingFilter\EnabledV8
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\PhishingFilter\ShownServiceDownBalloon
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Recovery\ClearBrowsingHistoryOnExit
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
1

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1
1

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet
0

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline
0

After installing itself it deletes self from its original location but continues to run from <Root>\Recycle.Bin\[random capital letters and numbers].exe.

Threat 3

Spammed Trojan contacts 'seriosly' bad site

Threat Name:

Troj/Bredo-KN

Users at Risk:

Windows users

Also Known As:

Avira TR/Yakes.KC
AVP Trojan.Win32.Yakes.glu
K7 Trojan ( 002ec1821 )
McAfee Generic Downloader.fn Trojan
Microsoft Worm:Win32/Gamarue.B
Trend TROJ_SPNR.0BJA11

Removal Instructions:

Please follow the instructions for removing Trojans

About:

Troj/Bredo-KN is a Trojan for the Windows platform.

We've seen Troj/Bredo-KN in zip files attachmented to spam emails with the subject line "ACH Payment [random number] Canceled."

Troj/Bredo-KN has the filename report.[random number].pdf.exe and has a PDF icon.

We detect the zip file as Troj/Invo-Zip.

When installed, Troj/Bredo-KN copies itself into the following location:

\Documents and Settings\All Users\Local Settings\Temp\

The Trojan sets the following registry key to automatically restart itself upon reboot:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

Troj/Bredo-KN attempts to access the following domains:

loshatemikontara551.ru
serioslyfucked.ru

© 1997 - 2013 Sophos Ltd. All rights reserved. Legal Privacy Cookie Information