SOTM 32 Answers

Honeynet Scan Of the Month 32 Questions and Answers

Author: Chris Eagle, cseagle at nps d0t edu

A detailed analysis of RaDa.exe can be found here

1. Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.

The program is a back door. When executed on a victim machine, it can take steps to install itself so that it is launched whenever the system is started. The program has the capability of uploading or downloading files to/from a designated remote web server. It also has the capability to execute any command on the victim machine at the direction of a controlling server. The last main feature is its ability to take screen shots of the victim machine at the direction of a controlling server. This particular binary is most easily identified by the embedded string:

"!This program is the binary of SotM 32.."

The program is compressed using the UPX compresser for executable files in an attempt to make reverse engineering more difficult. As a further measure, the UPX headers were changed in order to prevent UPX from being used to recover the original program.

2. Identify and explain the purpose of the binary.

It is a simple backdoor. Its purpose is to provide a means of controlling a remote computer.

3. Identify and explain the different features of the binary. What are its capabilities?

The binary was protected (obfuscated) using UPX and was further corrupted to prevent UPX from being used to remove the protection. The binary was written using Visual Basic and compiled to native x86 machine language. The program makes use of an InternetExplorer.Application object to perform web based communications and a WScript.Shell object to interact with the registry and the WMI interface. The program can install or uninstall itself from a victim computer. The program retrieves commands from a remote server and executes those commands on the victim computer. The program can be commanded to download new files from a remote server, upload files from the victim to a remote server, capture and save a screen shot of the victim computer, and execute any available program on the victim computer.

4. Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.

The binary downloads a specified command file from a specified command server using an InternetExplorer application object as the download agent. The command file is parsed for form fields containing directives that the program carries out on the victim machine. The use of Internet Explorer to conduct all remote communications may be helpful in bypassing host based intrusion detection programs such as Black Ice, Zone Alarm, and thw Windows Firewall because Internet Explorer is very likely to have been granted permanent permission to establish outbound connections on a given computer. Unlike many backdoor programs, this program does not open any ports on the victim machine to accept incoming connections.

The following Snort rule triggers on an HTTP request being made for the default command file used by the program: RaDa_commands.html

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR RaDa command file access"; flow:to_server,established; uricontent:"/RaDa_commands.html"; nocase; )

The program also triggers existing Snort rule 1:1481 on detection of the default upload method of the program (access to upload.cgi). Sample alerts are shown below:

[**] [1:0:0] BACKDOOR RaDa command file access [**]
[Priority: 0] 
09/30-17:56:58.948173 192.168.0.36:1448 -> 192.168.0.202:80
TCP TTL:128 TOS:0x0 ID:12019 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0xDD4AB355  Ack: 0xDF4C471C  Win: 0x4470  TcpLen: 20

[**] [1:1481:4] WEB-CGI upload.cgi access [**]
[Classification: Attempted Information Leak] [Priority: 2] 
09/30-17:57:00.949811 192.168.0.36:1449 -> 192.168.0.202:80
TCP TTL:128 TOS:0x0 ID:12026 IpLen:20 DgmLen:965 DF
***AP*** Seq: 0xDD52EEB4  Ack: 0xDFB7B818 Win: 0x4470  TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10290]

5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

First the binary was packed with UPX. Next the UPX headers were mangled so that UPX could not be used to unpack the binary back to its original state. UPX Scramble is one such tool that is capable of performing this task. Before listing the author names (--authors command line argument) the program attempts to determine if it is running within a VMWare virtual machine by checking for the presence of the "HKLM\Software\VMware, Inc.\VMware Tools\InstallPath" registry key and looking for any network interfaces that have a VMWare OUI.

6. Categorize this type of malware (virus, worm...) and justify your reasoning.

The program is a backdoor. When installed on a victim computer, it provides a remote controller the capability to execute arbitrary commands on the victim. Unlike a trojan horse, it is not disguised in any way to make it likely that a user would mistakingly execute it. It does not require nor does it infect additional host files on the victim computer and is therefore not a virus. The program makes no attempt to attack and propagate to additional computers and is therefore not a worm. And while the binary contains the string "Starting DDoS Smurf remote attack...", there is no evidence to suggest that it is capable of doing so, so it is not a DDoS agent.

7. Identify another tool that has demonstrated similar functionality in the past.

Most irc bots (agobot, slackbot, etc...) contain some of the backdoor functionality contained by this program. Classic Windows backdoor programs include Back Orifice and SubSeven. Obscure VisualBasic backdoors that have appeared in the wild include (Symantec designations) NetControle, Sazo, Fearic, Pointex, and Khaos.

8. Suggest detection and protection methods to fight against the threats introduced by this binary.

One suggestion is to use alternative web browsers such as Opera, or Mozilla/Firefox and then block Internet Explorer from establishing outbound connections without user approval. File scanning utilities such as anti-virus software could alert when obfuscated binaries are executed. Binaries such as these are often detectable by examining their import tables. Users could be afforded the opportunity to allow or deny program continuation in a manner similar to the choices offered by host based firewalls. Registry change monitors could be used to monitor and alert on changes to the keys commonly used for launching malware such as HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run as used by this program. From a reverse engineering standpoint, efforts need to be made to make virtual machine environments less detectable to software running within those environments.

Bonus Question:

* Is it possible to interrogate the binary about the person(s) who developed this tool? In what circumstances and under which conditions?

Yes it is possible using the following three commands:

Rada --help

opens an Internet Explorer window that displays a copyright notice with the authors names

Rada --gui

opens a gui panel containing a copyright notice and the authors names Two buttons on the panel, "Show config" and "Show usage" can be used to open an Internet Explorer window similare to that of "Rada --help"

Rada --authors

The program checks to see whether it is being run within a VMWare virtual machine and if it can't detect VMWare it opens a message box dialog that names the authors. Refer to the analysis writeup for ways to defeat the VMWare checks performed by the program.

* What advancements in tools with similar purposes can we expect in the near future?

We can expect tools of this sort to:

communicate in a more covert manner
hide themselve using more difficult to detect methods
perform more sophisticated checks for virtual machine environments
use more sophisticated obfuscation techniques