Abstract

            Details

           

The file is programed in Visual basic 6.0 and contain a string reference that the version of the file is RaDa v 0.22.

 

 

            How does the tool work?

           

The RaDa.exe backdoor attacks with distributed denial of service (DDOS smurf) attack.

The backdoor connects to 10.10.10.10 to 80 port and waits for the client conexion to be commanded.

When ready to receive the backdoor commands:

--verbose           verbose mode

--visible             Are visible or invisible

--server             server type

--commands      Give commands

--cgipath           Path of cgi

--cgiget             cgi get

--cycles            Number of cycles

--help                Give help about it

--installdir          Directory of installation

--noinstall          Not install

--uninstall          Unistall the backdoor

--authors           Give information and the name of the authors

 

The backdoor Create this entry in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run . With this you can startup when reboot the machine.

Create those directories:

C:\RaDa

C:\RaDa\tmp

C:\RaDa\bin

And this file which is a copy as the same file:

C:\RaDa\bin\RaDa.exe

 

Use a utility fupload.vbs for upload/donload from  “Copyright (C) 2001 Antonin Foller, PSTRUH Software”.

      The backdoor contain code to Scan all classes of network (A,B and C):

                  http://192.168.

http://172.16.

http://10.

            And get information with a SQL consult

                        SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.

 

            The binary contain this macaddres inside the code:

00:0C:29:00:50:56:00:05:69:

 

The first of all when the backdoor is executed try to connect to http://10.10.10.10/RaDa

To read the backdoor configuration thath have information like this format:

<TITLE>

<RaDa Current Configuration>

</TITLE>

The backdoor levave from a high port biger than 1024 and conecto to IP 10.10.10.10 in http (80) port.

 

 

            How can you detect the presence of such tools?

 

            1)If the process RaDa.exe are in memory.

            2)And in the firewall or IDS detect conecction to 10.10.10.10 to 80 port

 

            How can you defend against such attacks?

I have deloped my own tool antiradar.exe, my tool do the following:

                 Kill the process

                 Delete the file and subdirectories

            Create a file C:\Rada. for the backdoor not create again a copy. And add this entrance in the registry:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

2) Editing the file Hosts. and adding this line at the end of the file:

127.0.0.1          10.10.10.10

Note: 10.10.10.10 is the IP that the backdoor connect. With this line the backdoor can’t connect to original IP of the backdoor because we have redirect to local IP.

This is the same as blocking the IP10.10.10.10 to 80 port in the firewall or IDS.

3) With the snort singnature

           

 

 

            Related links

 

            DDoS smurf attack

                        http://www.pentics.net/denial-of-service/white-papers/smurf.cgi

                        http://securityresponse.symantec.com/avcenter/venc/data/smurf.dos.attack.html