Questions Ensure you document the procedures, tools and methods used.

1. Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.

RaDa.exe is  for a distributed denial of service (DDOS) attack

This allows the attacker to launch coordinated attacks upon a victim from multiple sites (the compromised hosts) on the Internet.

The file is programed in Visual basic 6.0 and contain a string reference were is written the version RaDa v 0.22.

2. Identify and explain the purpose of the binary.

The RaDa.exe can do the actions that the hacker who has the control want specify in the file RaDa_commands.html that is alojated in the IP 10.10.10.10. Those operations are:

Attack with distributed denial of service (DDOS smurf) attack.

Upload and download files.

The backdoor wait for the client conexion to be commanded. When it is ready to use the backdoor commands:

--verbose           verbose mode

--visible             Are visible or invisible

--server             server type

--commands      Give commands

--cgipath           Path of cgi

--cgiget             cgi get

--cycles            Number of cycles

--help                Give help about it

--installdir          Directory of installation

--noinstall          Not install

--uninstall          Unistall the backdoor

--authors           Give information and the name of the authors

 

3. Identify and explain the different features of the binary. What are its capabilities?

The backdoor creates this entry in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run . With this, it can run on startup.

Create those directories:

C:\RaDa

C:\RaDa\tmp

C:\RaDa\bin

And this file that is a copy of the same file:

C:\RaDa\bin\RaDa.exe

 

Use a utility fupload.vbs for upload/donload from  “Copyright (C) 2001 Antonin Foller, PSTRUH Software”.

      The backdoor can Scan all classes of network (A,B and C):

                  http://192.168.

http://172.16.

http://10.

            And get information with a SQL consult from the IP that the infected machine

                        SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

            This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.

 

            The binary contains this mac addres inside the code:

00:0C:29:00:50:56:00:05:69:

4. Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.

First of all , when the backdoor is executed try to connect to http://10.10.10.10/RaDa

To read the backdoor configuration (RaDa_commands.html) that have information like this format:

<TITLE>

<RaDa Current Configuration>

……………………………….

</TITLE>

                        The backdoor leave from a high port bigger than 1024 and conects to IP 10.10.10.10 in http (80) port.

 

The snort signature to detect it is:

alert tcp $HOME_NET any -> 10.10.10.10 $HTTP_PORTS (msg:"RaDa command request"; flow:to_server,established; content:"GET /RaDa/RaDa_commands.html HTTP/1.1"; depth:37; classtype:web-application-activity; sid:4000; rev:1;)

 

5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

1)The file is packed with Upx,  so we can’t see the string references withot unpacked.

I have use Ollydbg and Olly dump pluggin for unpacked:

2)The backdoor check that the machine isn’t a infection machine (has VMware image) for execute normaly, checking this registry entry that have all Vmware images inside:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

                  This entry indicates the VMware tools installation path.

6. Categorize this type of malware (virus, worm...) and justify your reasoning.

I think that is a backdoor, because wait for client connection and can receive orders to execute, as download/upload files , DDoS, etc ….

7. Identify another tool that has demonstrated similar functionality in the past.

http://www.pestpatrol.com/pestinfo/s/spoofer_win32_vb_c.asp

                  Use smurf attack and is programmed in Visual basic

 

http://pestpatrol.com/pestinfo/d/ddos_win32_smurf.asp

Use Ddos smurf attack.

8. Suggest detection and protection methods to fight against the threats introduced by this binary.

 

1)       I have developed my tool for cleanning the infected system.

My own tool does the following:

                 -Kill the process

                 -Delete the file and subdirectories

                 -Create a file C:\Rada. for the backdoor not infect again the machine and the entrance in the registry:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

2) Editing the file Hosts. and adding this line at the end of the file:

127.0.0.1          10.10.10.10

Note: 10.10.10.10 is the IP that the backdoor connect. With this line the backdoor can’t connect to original IP of the backdoor because we have redirect to local IP.

3) With the snort signature.

Bonus Question:

• Is it possible to interrogate the binary about the person(s) who developed this tool? In what circumstances and under which conditions?

With the command –authors see these:

Copyright (C) 2004 Raul Siles & David Perez

Scan Of The Month 32 (SotM) - September 2004

You can learn a lot playing funny security challenges.

http://www.honeynet.org/scans/index.html

• What advancements in tools with similar purposes can we expect in the near future?

I think that future versions can spread better (as a worm) using system vulneratibilites as Rpc , Lsass, the actual.Jpg GDI+ exploit, etc …