Abstract

            Details

The file is programed in Visual basic 6.0 and the version of the backdoor is RaDa v 0.22.

 

            Recommendations

1)I have deloped my own tool antiradar.exe, my tool do the following:

                 Kill the process

                 Delete the file and subdirectories

            Create a file C:\Rada. for the backdoor not create again a copy. And add this entrance in the registry:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

2) Editing the file Hosts. and adding this line at the end of the file:

127.0.0.1          10.10.10.10

Note: 10.10.10.10 is the IP that the backdoor connect. With this line the backdoor can’t connect to original IP of the backdoor because we have redirect to local IP.

This is the same as blocking the IP10.10.10.10 to 80 port in the firewall or IDS.

3) With the snort singnature

 

           

            How does the tool work?

 

The RaDa.exe backdoor attacks with distributed denial of service (DDOS smurf) attack.

The backdoor Create a entry in registry with this you can startup when reboot the machine.

            And get information with a SQL consult

                        SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.

The first of all when the backdoor is executed try to connect to http://10.10.10.10/RaDa

To read the backdoor configuration

The backdoor conecto to IP 10.10.10.10 in http port.

Related links

 

            DDoS smurf attack

                        http://www.pentics.net/denial-of-service/white-papers/smurf.cgi

                        http://securityresponse.symantec.com/avcenter/venc/data/smurf.dos.attack.html