In this section you find the tools and the procedures used for the RaDa malware analysis.
a cross platform PC-emulator http://bochs.sourceforge.net/
THE sniffer, part of Linux Installation
GTK+ GUI version of VI Improved, that come with Linux installation
trivial hexadecimal dump of file, that come with Linux installation
extract ASCII strings from a file, that come with Linux installation
executable compressor/decompressor http://upx.sourceforge.net/
Open Source antivirus scanner http://clamav.sourceforge.net/
I setup on Bochs a virtual PC with Pentium processor, 128Mbytes of RAM, 1.2G of disk, NE2000 ethernet card, modem, standard VGA display. In that PC I successfully installed Windows 2000 Server Service Pack 1. The network is configured to be completely isolated from the rest of PCs in my lab, and a notebook with RedHat 9 is used for "simulate" DNS server, IRC server, HTTP server, a Samba server with open shares in the same network of the virtual PC. In the PC where is the simulated PC there is Ethereal, ready to capture.
It is a rudimental method of analysis, I know, but permits to quickly obtain information about the executable and about the operating methods of any malware. I use the same method to analyze some worm viruses captured in the wild. Without use disassembler, debugger and other tools in the infected machine, but all the tools are external to the "virtual PC" seen like a "black box". This method can be very useful if the malware is made to detect reverse engineering attempt with tools like IDA or most debugger. It's my opinion that it's not so hard that some future malwares will detect reverse engineering attempt, as some real viruses can detect antiviruses, firewalls, tools like Windows Task Manager and Registry Editor and can terminate it to avoid user "interferences".
This methods does not uses anything internal to the infected PC, and you can obtain some useful informations without "interfere" with the normal activity of the malware.
The binary is packed with a modified-UPX. Clamav do not identify as threat, nor Kapersky online scanner. It appear with nice icon (blowfish), and properties like Company name: Malware and Internal Name: RaDa that made identification with antivirus scanner quite simple.
On start it make new directory called RaDa in the root of C: disk, with two sudirectories, bin and tmp. It also creates new registry key in HKLM/Software/Microsoft/Windows/CurrentVersion/Run as "RaDa" to start at the login of any user. After that it tries to connect to IP address 10.10.10.10 port 80 (HTTP).
On the RedHat 9 notebook, I put a new IP alias in the interface with the command:
ifconfig eth0:1 inet 10.10.10.10 netmask 255.255.255.0 up
and start Apache, configured to listen on all interfaces.
After the start of Apache, the virtual PC tries the connection to web server and send this request:
GET /RaDa/RaDa_commands.html HTTP/1.1 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */* Accept-Language: it Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0) Host: 10.10.10.10 Connection: Keep-Alive
that fails as expected, the requested document doesn't exist.
I send a signal SEGV to Bochs, with the command:
killall -SEGV bochs<em>
that cause bochs to terminate with a coredump, that contains a memory image of the virtual PC with the executing malware. Next I extract the ASCII strings with:
strings -a -tx core > RaDa.txt
and start to explore the string file opening it with Gvim. Searching for "RaDa" string results in finding these groups of chars:
Offset String 5cff654 Command_install 5cff674 You can learn a lot playing funny security challenges 5cff6dc Command_usage 5cff6ec Command_exit 5cff6fc Command_conf 5cff71c Label1 5cff724 Label2 5cff72c Label3 5cff734 Command_go 5cff740 Command_uninstall
and more interesting:
Offset String 5ec0dba Command_uninstall 5ec0dd0 Uninstall 5ec0df2 MS Sans Serif 5ec0e08 Command_install 5ec0e1c Install 5ec0e3c MS Sans Serif 5ec0e52 Command_exit 5ec0e63 Exit 5ec0e80 MS Sans Serif 5ec0e96 Command_usage 5ec0ea8 Show usage 5ec0ecb MS Sans Serif 5ec0ee1 Command_conf 5ec0ef2 Show config 5ec0f16 MS Sans Serif 5ec0f2c Command_go 5ec0f59 MS Sans Serif 5ec0f6f Label3 5ec0f7a (c) Raul Siles && David Perez 5ec0fb2 Comic Sans MS 5ec0fc8 Label2 5ec0fd3 SotM 32 - September 2004
Trying to launch rada.exe with an argument (i.e. /help) shows an Internet Explorer window (without toolbars, menu and status bar) with some strings like the URL of the Scan of the Month website. Those strings didn't appear in the strings command generated file. Then I create an hexdump of the corefile with:
hexdump -C core > RaDa.hex
and and open it with Gvim, start searching string like: h<any char>o<any char>n<any char>e, and I found some interesting Unicode strings:
--period --gui --cgiput --tmpdir --verbose --visible --server --commands --cgipath --cgiget --cycles --help --installdir --noinstall --uninstall --authors
Trying to pass this arguments to rada.exe on the command line causes some interesting results:
do not install registry key to autostart, nor install RaDa in c:\RaDa directory tree.
starts RaDa in GUI mode.
accept an argument as path to tmp directory (Default c:\RaDa\tmp)
accept an argument as pat to install the binary
delete registry key in HKLM/...../Run for autostart and RaDa.exe from c:\RaDa\bin, do not remove directories.
shows a IExplorer window with some help (only a sort of About. for now)
made visible an IExplorer window with the HTML page downloaded from http://10.10.10.10/RaDa/RaDa_commands.html
changes the HTML file name from the default RaDa_commands.html
change both server and directory in WEB server from the default http://10.10.10.10/RaDa
shows a MessageBox dialog with authors' names (RAul and DAvid, first letters used for the name of the executable)
time in seconds between attempt to read command file from server.
number of time to repeat the download/execute cycle (default forever=0)
sets path for cgi script on server (Default cgi-bin)
name pf upload script (default upload.cgi)
name of downolad script (default download.cgi)
There are some other interesting strings:
Starting DDos Smurf remote attack
HKLM\Software\VMware, inc.\VMware Tools\Install\Path
I wasn't able to obtain more data and information with this method. But I'll try to reply to SotM questions.
It's a compressed executable, made with a variant of UPX. It contain, even in the compressed form, some byte sequences that mades simple the identification by signature, like the string "Malware" in the Company Name property and the blowfish icon.
The binary installs itself and start to query for special made html page where, I think, it finds instruction to execute, as special keywords or VBS script, as I think about the string "wscript" contained in the esecutable.
It has some interesting ability:
From this capabilities, it seems to be ready to transform the infected computer as "zombie" to launch attack to other computer in the network. Again, it seem to be able to "stole" data and information from the infected computer, transferring files to remote computer. There is a string in the executable "screenshot" that if it is a command like the name suggests, it can take a screenshot of the desktop and sends it to remote computer.
It use normal HTTP protocol. It may be very difficult to develop a signature, because the server and the "get" string can be modified to any combination. It can be useful if the malware always start to connect every time to the same server and after that it changes the target for subseguent queries. In this case, it can be useful to develop a Snort signature to intercept http requests to server 10.10.10.10 port 80 and a GET request to the URL RaDa/RaDa_commands.html, something like:
alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"RaDa Malware infected client tries to reach server to get commands"; uricontent:"RaDa/RaDa_commands.html"; nocase; flow:from_client,established; classtype: misc-activity; rev:1;)
Of course, in the real world the malware tries to connect to a server with public address, other than 10.x.x.x, 192.168.x.x and 172.16-31.x.x (RFC1918 private addresses), and you can change the rule for destination from "any $HTTP_PORTS" to "$EXTERNAL_NET $HTTP_PORTS" for proper detection.
The malware adopt a method widely used in most of the worms/trojans that infests Internet at this moment, like Gaobot, Agobot, SDbot and so on. It use a modified executable packer, to avoid decompress. In most cases, malwares uses more than one executable packer, to harden the decompression. In this case, most antivirus scanners identify the RaDa executable as UPX packed, but UPX is unable to decompress it.
I think that the best category for this malware may be a backdoor/bot. Is not properly a virus, because it seems to not have self replicating or infecting code. It isn't a worm, because do not use network to spread itself, not directly. It isn't a trojan, because it don't have appearance of "useful" program to the user, to induce the user to activate himself.
It can be a point of access to the infected PCs, like a backdoor, and it can execute some simple tasks in automatic mode, controlled from a remote "owner", like a bot. The advantage of this kind of backdoor is that it works even if the infected PC is behind a firewall.
This is my first Scan of the Month appearance, and I don't know previous "tools" analyzed. But looking in the past challenges in Honeynet website, I found some (very little) similarities with the malware in the "Reverse Challenge".
There are various methods to detect the infections:
Yes, using one of this command lines:
c:\rada\bin\rada --authors c:\rada\bin\rada --help
or using a default behavior with wrong argument:
c:\rada\bin\rada wrongoption
that shows an IExplorer window with authors, or using the GUI interface:
c:\rada\bin\rada --gui
where the authors are in bold. Strange malware, indeed...
I also found the string using the method described in Analysis paragraph. You can see some screenshots of the dialogs and the IExplorer window following this links:
http://ilpettegolo.altervista.org/sotm32.html.
Some of the possible improvements of this kind of malwares are already used in most of the Internet worms as SDbot, Spybot (the worm, not the anti-spyware utility), Gaobot and similar. Most of this uses these strategy and methods to both avoid detection and removal:
These malwares shows also a good number of methods to spread themselves to more PCs as possible. A Gaobot variant uses six different vulnerabilities of Windows, two of Internet Information Server and one of MS SQL server, and use Windows disk shares with weak password to propagate, if noone of the exploits works.
After the infection, these worms connects to an IRC server as bot and wait for orders from it. They are able to launch a wide variety of network DDoS attacks, counting on large number of infected machines. And also are capable to get any files from infected PCs. Some of them are able to launch any command or reboot the PC. Or they have the ability to send mail to any address collected from the infected PCs. They have network sniffing capability also.
These malwares are designed to do more things, all dangerous, and all to the orders of the "owner" of the worm.
I think that the last released patch and Service Packs will help to lower the threat, but too many user ignore the danger.