Report Scan 32
- Analysis of RADA.EXE (THE BINARY)
(Malware)
Author: Ronald
Romero email: ronromero@cantv.net -
Table of Contents
1.- Reception of Evidence To
analyze
2.- Used Hardware and Software.
3.- Compilation of Information.
4.- Analysis of the collected
Data.
4.1.-
Decompiling the Executable
4.1.3.- Determining Binary Protection
4.2.-
Analysing Information generate by Binary.
Summary.
Overview.
This is an
analysis of RADA.EXE binary, for the HoneyNet Reverse Challenge in September.
This is a technical analysis, and assumes the reader has prior programming
experience, but does not necessarily have experience in the field of reverse
engineering.
This analysis is
structured in five sections.
The first section
is referred to the handling of the evidence of the case exposed by Honeynet and
describes to the procedure of reception and authentication of digital evidence,
the Second section describes to the used hardware and software in all the
analysis, the Third section talks about to the procedure of harvesting of
information generated in the execution of the binary one in a controlled
environment by programs of monitories in real time for its later analysis in
the fourth section where also the Decompilation of binary applying the
technical ones of reverse engineer is made and arriving until the detail from
the reconstruction from the project with its forms and the code in assembler of
the functions executed by this.
The section
finishes with answer the questions make to .SCAN 32.
1.-
Reception of Evidence To analyze
This month's challenge is to analyze a home-made
malware binary.
The binary one is published in the page Web in
file rada.zip http://www.honeynet.org/scans/scan32/
It download and verify checksum with program
Md5Sum and WinHex
A75DE27EE59AB60E148EFE7FEEE5DD3F Md5Sum
A75DE27EE59AB60E148EFE7FEEE5DD3F WinHex
A75DE27EE59AB60E148EFE7FEEE5DD3F (Checksum WEB)
The binary one is
a feasible one of WIN PE (Portable Execute).
With Windows
95/NT, a new executable file type was required. Thus was born the
"PE" Portable Executable, which is still in use. Unlike its
predecessors, WIN-PE is a true 32bit file format, supporting relocatable code.
It does distinguish between TEXT, DATA, and BSS.
2.- Used Hardware and Software.
For the analysis of the binary one the following
resources were used
Hardware
-
Computer PIV 2.26 Ghz, 1 Gb RAM Memory, HD 40Gb and HD
10 Gb
-
Monitor
-
USB Data Travel 256 Mb
-
USB Storage HD 20 Gb
-
Switch 10/100
Software
-
Windows XP SP1
-
MS Office 2003
-
WinHex 11.5
-
Regmon (Sysinternal Tool)
-
Filemon (Sysinternal Tool)
-
TDIMon (Sysinternal Tool)
-
ProcessXP (Sysinternal Tool)
-
BinText (Foundstone)
-
Necat
-
IDA 4.50
-
BV Decompiler
-
UPX (Ultimate Packer for eXecutables)
-
WinCap 3.1
-
Ethereal
-
VMWare Workstation 4.5
-
Dependency
3.-
Compilation of Information.
I settled a
working station VMWare for the gathering and monitoring of the data generated
by the execution of the binary one. In the same one I installed the Windows Xp with the MS
Office 2003 as platform it bases for the tests.
After concluding the
installation and configuration I proceeded to the capture of the data in real
time of the execution of the binary one. The program Filemon was activated for
monitoring of the operations of I/O in
the disk at file level, The regmon for monitoring the operations with the registry,
TDIMon for monitoring the accesses to the network interface and the Ethereal to capture the
incoming and salient packages of the different protocols IP, TCP, UDP, ARP,
etc. I was also carried out a dump of the memory RAM with the tool WinHex 11.5
for their later analysis.
The obtained data were stored
directly in the unit USB Storage HD, after concluding with the gathering of the
information generated by these programs; I proceeded to the analysis of the
same one.
4.-
Analysis of the collected Data.
4.1.-
Decompiling the Executable
The information
compiled in section three, will be taken like begin point to make so arduous
task of disturbing the elements that take to respond all the incognitos to us
in relation to the binary one analyzed.
Standard Windows development environment
including:
ü
Windows XP SP1
ü
MS Office 2003
ü
WinHex 11.5
ü
BinText (Foundstone)
ü
Necat
ü
IDA 4.50
ü
BV Decompiler
ü
UPX
ü
WinCap 3.1
ü
Ethereal
ü
VMWare Workstation 4.5
ü
Dependency
Patience and perseverance are useful and very
important factory.
In order to
inspect initial, we will make the obtained analysis of log of section three,
where we executed the binary one in a controlled environment to observe as it
was its behavior.
Taking advantage of the upset one ram memory, we
analyzed the same one with the BinText tool, and found much information
important that it identified the atmosphere in which the binary one had been
developed.
0000004D
0040004D 0 !This program is the binary of SotM 32..
000001B8
004001B8 0 .text
000001E0
004001E0 0 .data
00000208
00400208 0 .rsrc
.
.
.
00002378
00402378 0 Form1
00002380
00402380 0 Module1
00002654
00402654 0 Command_install
00002674
00402674 0 You can learn a lot playing funny security
challenges
000026DC
004026DC 0 Command_usage
000026EC
004026EC 0 Command_exit
000026FC
004026FC 0 Command_conf
00002724
00402724 0 Label2
00002734
00402734 0 Command_go
00002740
00402740 0 Command_uninstall
00002798
00402798 0 keybd_event
000027DC
004027DC 0 kernel32
000027EC
004027EC 0 Sleep
.
.
.
00003D96
00403D96 0 Form1
00003DBA
00403DBA 0 Command_uninstall
00003DD0
00403DD0 0 Uninstall
00003DF2
00403DF2 0 MS Sans Serif
00003E08
00403E08 0 Command_install
00003E1C
00403E1C 0 Install
00003E3C
00403E3C 0 MS Sans Serif
00003E52
00403E52 0 Command_exit
00003E80
00403E80 0 MS Sans Serif
00003E96
00403E96 0 Command_usage
00003EA8
00403EA8 0 Show usage
00003ECB
00403ECB 0 MS Sans Serif
00003EE1
00403EE1 0 Command_conf
00003EF2
00403EF2 0 Show config
00003F16 00403F16
0 MS Sans Serif
00003F2C
00403F2C 0 Command_go
00003F59
00403F59 0 MS Sans Serif
00003F6F
00403F6F 0 Label3
00003F7A
00403F7A 0 (c) Raul Siles && David Perez
00003FB2
00403FB2 0 Comic Sans MS
00003FC8
00403FC8 0 Label2
00003FD3
00403FD3 0 SotM 32 - September 2004
00004006
00404006 0 Comic Sans MS
00004046
00404046 0 Comic Sans MS
.
.
.
0000B86C
0040B86C 0 MSVBVM60.DLL
.
.
.
00001A3F
00401A3F 0 @*\ASecurity through obscurity is the key.
00002394
00402394 0 v0.22
000023A4
004023A4 0 http://10.10.10.10/RaDa
000023D8
004023D8 0 RaDa_commands.html
00002404
00402404 0 cgi-bin
00002418
00402418 0 download.cgi
00002438
00402438 0 upload.cgi
00002454
00402454 0 C:\RaDa\tmp
00002470
00402470 0 filename
00002488
00402488 0
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
00002504 00402504 0
REG_SZ
00002518
00402518 0 C:\RaDa\bin
00002534
00402534 0 RaDa.exe
000025B8
004025B8 0 Starting DDoS Smurf remote attack...
00002830 00402830 0
Visible
00002844
00402844 0 --period
000029A8
004029A8 0 Wscript.Shell
000029C4
004029C4 0 RegWrite
000029D8 004029D8
0
RegRead
000029E8
004029E8 0 RegDelete
00002A18
00402A18 0 http://192.168.
00002A3C
00402A3C 0 http://172.16.
00002A60
00402A60 0 http://10.
00002A84
00402A84 0 InternetExplorer.Application
00002AC0 00402AC0 0
ToolBar
00002AD0
00402AD0 0 StatusBar
00002AE4
00402AE4 0 Width
00002AF0
00402AF0 0 Height
00002B04
00402B04 0 about:blank
00002B1C
00402B1C 0 navigate
00002B3C
00402B3C 0 Document
00002B50
00402B50 0 Forms
00002B5C
00402B5C 0 elements
File pos Mem
pos ID Text
========
======= == ====
00002B88
00402B88 0 Value
00002BB0
00402BB0 0 screenshot
00002BCC
00402BCC 0 sleep
00002BD8
00402BD8 0 Application
00002C00
00402C00 0 RaDa
00002C1C
00402C1C 0 Scan Of The Month 32 (SotM) - September 2004
00002C7C
00402C7C 0 --cgiput
00002C94
00402C94 0 --tmpdir
00002CAC
00402CAC 0 http://www.honeynet.org/scans/index.html
00002D04
00402D04 0 Copyright (C) 2004 Raul Siles & David
Perez
00002D60
00402D60 0 <TITLE>RaDa Usage</TITLE>
00002D98
00402D98 0 <pre>
00002DA8
00402DA8 0 </pre>
00002DC4
00402DC4 0 Write
00002DD4
00402DD4 0 --verbose
00002DEC
00402DEC 0 --visible
00002E04
00402E04 0 --server
00002E1C
00402E1C 0 --commands
00002E38
00402E38 0 --cgipath
00002E50
00402E50 0 --cgiget
00002E68 00402E68 0
--cycles
00002E80
00402E80 0 --help
00002E94
00402E94 0 --installdir
00002EB4
00402EB4 0 --noinstall
00002ED0
00402ED0 0 --uninstall
00002EEC
00402EEC 0 --authors
00002F04
00402F04 0 Unknown argument:
00002F30
00402F30 0 <TITLE>RaDa Current
Configuration</TITLE>
00002F88
00402F88 0 COMSPEC
00002FAC
00402FAC 0 ---------------------------0123456789012
00003000
00403000 0 AppendChunk
00003018
00403018 0
GetChunk
00003034
00403034 0 Content-Disposition: form-data; name="
00003090
00403090 0 Submit
000030A4
004030A4 0 Submit Form
000030CC
004030CC 0 Content-Type: multipart/form-data; boundary=
00003134
00403134 0 innerText
00003188
00403188 0 ADODB.Recordset
000031B0
004031B0 0 Fields
000031C0
004031C0 0 Append
000031D0
004031D0 0 AddNew
000031E8
004031E8 0 Update
000031F8
004031F8 0 Close
00003204
00403204 0 innerHTML
00003280
00403280 0 filename="{file}"
000032AC
004032AC 0
Content-Type: {ct}
000032D8
004032D8 0 {field}
000032EC
004032EC 0 {file}
00003310
00403310 0 ADODB.Stream
00003338
00403338 0 LoadFromFile
00003364
00403364 0 Upload file using http And multipart/form-data
000033C8
004033C8 0 Copyright (C) 2001 Antonin Foller, PSTRUH
Software
00003440
00403440 0 [cscript|wscript] fupload.vbs file url
[fieldname]
000034AC
004034AC 0 file ... Local file To upload
000034F8
004034F8 0 winmgmts:\\
00003514
00403514 0 \root\cimv2
00003530
00403530 0 url ... URL which can accept uploaded data
00003590
00403590 0 fieldname ... Name of the source form
field.
00003600
00403600 0 This script requires some objects installed
To run properly.
000036BC
004036BC 0 begin
000036FC
004036FC 0 SELECT * FROM
Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
000037A0 004037A0 0
MACAddress
000037BC
004037BC 0 00:0C:29:
000037D4
004037D4 0 00:50:56:
000037EC
004037EC 0 00:05:69:
00003804
00403804 0 Authors: Raul Siles & David Perez, 2004
0000C097
0040C097 0 @*\ASecurity through obscurity is the key.
0000D9AA
0040D9AA 0 VS_VERSION_INFO
0000DA06
0040DA06 0 StringFileInfo
0000DA2A
0040DA2A 0 040904B0
0000DA42
0040DA42 0 CompanyName
0000DA5C
0040DA5C 0 Malware
The complete file is like attachment to this
document.
Analyzing this
information we can say that binary this developed in Visual MS BASIC 6 since it
uses archives MSVBVM60.DLL (Visual Microsoft BASIC 6 virtual machina), in
addition that this is made up of a called form Form1 and I modulate Modulo1
call. Also we have the information of
the possible authors of binary (Authors: Raul Siles & David Perez, 2004) and
a list of argument used by the same one.
It is possible to emphasize that much
information in this file exists which we will use ahead but.
4.1.3.- Determining Binary Protection
After to have analyzed the content of the upset one of
ram memory, we have left to see the content of the file to try to detect if she
is protected by some tool for this WinHex 11.5 was used, noticing that in the
head of the file it did not appear reference to the sections .text and .data,
aside from the text “This program is the binary of Soft
There are
unprotected the program and already we have binary the original one, now we are
going to use the tool IDA 4.50 to Disassemble the same one.
We will start with the disassembly of the executable
obtained so far
List of Names
List of Symbols
4.1.5.- Decompilation / Analysis
Knowing in the application with which the binary
one was developed, we used the VBDecompiler tool (VBde.exe), with this the RADA.vbp file was obtained, Form1.frm and the list with the location of
the procedures related to the Form1.
Next we have the list of obtained functions:
Function Name Segment
Start
Length
__vbaChkstk
.text 00401590 00000006 R . . . . . .
DllFunctionCall .text 00401620 00000006 R . . . . . .
ThunRTMain
.text
sub_4027BC .text 004027BC 00000019 R . . . . . .
sub_40280C .text
sub_404A20 .text 00404A20 000000D0 R . . . B . .
sub_404AF0 .text 00404AF0 000000B0 R . . . B . .
sub_404BA0 .text 00404BA0 000001CA R . . . B . .
sub_404D80 .text 00404D80 0000021A R . . . B . .
sub_404FB0 .text 00404FB0 000002FC R . . . B . .
sub_4052C0 .text 004052C0 000007C0 R . . . B . .
sub_405A80 .text 00405A80 000003AF R . . . B . .
sub_405E40 .text 00405E40 000004B0 R . . . B . .
sub_4062F0 .text 004062F0 000003AF R . . . B . .
sub_4066B0 .text 004066B0 00000161 R . . . B . .
sub_406840 .text 00406840 00000BEF R . . . B . .
sub_407470 .text 00407470 0000012A R . . . B . .
sub_4075D0 .text 004075D0 000000E4 R . . . B . .
sub_4076F0 .text 004076F0 000000CB R . . . B . .
sub_4077D0 .text 004077D0 00000102 R . . . B . .
sub_4078F0 .text 004078F0 00000A38 R . . . B . .
sub_408360 .text 00408360 000003E3 R . . . B . .
sub_408780 .text 00408780 0000021B R . . . B . .
sub_4089D0 .text 004089D0 00000135 R . . . B . .
sub_408B40 .text 00408B40 000001F0 R . . . B . .
sub_408D60 .text 00408D60 000002D9 R . . . B . .
sub_409050 .text 00409050 00000193 R . . . B . .
sub_409220 .text 00409220 000002E1 R . . . B . .
sub_409540 .text 00409540 00000DB0 R . . . B . .
sub_40A2F0 .text 0040A2F0 000002CB R . . . B . .
sub_40A5F0 .text 0040A5F0 00000076 R . . . B . .
sub_40A6A0 .text 0040A6A0 00000220 R . . . B . .
sub_40A8C0 .text 0040A8C0 000001E0 R . . . B . .
sub_40AAA0 .text 0040AAA0 0000054E R . . . B . .
sub_40B010 .text 0040B010
sub_40B160 .text 0040B160 00000070 R . . . B . .
to traverse IDA Command “Display Flow Chart of
the current function” we can see the calls that exist among them.
4.2.- Analysing Information generate by Binary
With the obtained data of the execution of the
binary one in a controlled environment we will describe next the line of time
of the execution of the binary one:
1.- Create to files and directory
2.- Create value in Register
3.- Open Key in Register
4.- Query Value in Register
5.- Set Value in Register
6.- Query Key in Register
7.- Files used during the execution
8.- Process Handle
9.- Try Communication with Server
10.10.10.10
Upload
script:
ADODB.Stream
Type LoadFromFile READ \
Upload file using HTTP and multi-part/form DATA
Copyright (C) 2001 Antonin Foller, PSTRUH software
use D [ cscript|wscript ] fupload.vbs file URL [ fieldname ] > file... Local
file ton upload
winmgmts: \ \ \root\cimv2
URL... URL which CAN accept uploaded DATA
fieldname... Name OF the SOURCE form field.
This script requires some objects in valley LED ton of run properly.
1.- Identify and provide an overview of the binary,
including the fundamental pieces of information that would help in identifying
the same specimen.
The Binary one is a
software developed with Microsoft Visual BASIC 6 and is compound of a form (form1.frm),
and one module (modulo1.bas). This it does not use any techniques of
concealment since when it is executed it is easy to detect because it creates a
folder in C drive: call “RaDa” with the subfolders “bin” and “temp”, in first it makes a copy of
himself and modifies the key of the registry KLM\SOF….Version\Run\C:\RaDa\bin\RaDa.exe.
In the analysis
that was made to him to the dump of RAM memory, one was that the BINARY one
uses VBA functions (Visual Basic for Applications), Windows Script and WMI
(Windows Management Instrumental) these resources used to download them any
program to the infected equipment. The BINARY one at the moment and during its
execution makes use of the modules ADVAPI32.DLL, GDI32.DLL, KERNEL32.DLL, MSVBVM60.DLL,
MSVCRT.DLL, NTDLL.DLL, OLE32.DLL, OLEAUT32.DLL, RADA.EXE, RPCRT4.DLL y USER32.DLL.
On the other hand,
the BINARY one mounts attacks DDOS - SYN_FLOOD
to address IP 10.x.x.x,
192.168.x.x y 172.16.x.x for all into port 80, also it tries to accede to the
direction http://10.10.10.10/Rada automatically in
repetitive cycles of approximately 100 seconds.
The BINARY one
uses the following parameters that can be used in the line of commands:
--period (Period
in seconds in which the binary one is connected to the server to the address http://10.10.10.10/RaDa/)
--gui (It shows
the form with options)
--cgiput
--tmpdir (It config
the temporary folder)
--verbose
--visible (It
shows the Internet Explorer when it is being connected)
--server (it is
connected to the server to the direction http://10.10.10.10/RaDa/)
--commands (It
tries to accede to a page in the server
http://10.10.10.10/Rada/RaDa_commands.html)
--cgipath
--cgiget
--cycles (This
parameter is related to the attack DDOS SYN Flood)
--help (It shows a
window of the Internet Explorer with the data of the authors)
--installdir (It
makes a copy of the BINARY one in the directory who indicates itself to him)
--noinstall (It
executes the binary one but it does not install it)
--uninstall (Uninstall
the binary one)
--authors (It
shows a Window with the authors of the Binary one)
2.- Identify and
explain the purpose of the binary.
The BINARY one has
like purpose of opening a backdoor for the remote access to victima through the
method “Post binary data” y “ADODB.Stream” from the server http://10.10.10.10/RaDa. On the other hand it makes “DDoS
Smurf remote attack” against the address 192.168.x.x, 172.16.x.x y 10.x.x.x
3.- Identify and explain the different
features of the binary. What are its capabilities?
Like main
capability, the binary one can be executed with parameters formable through the
line of the commands. The features are the following ones:
--period (Period
in seconds in which the binary one is connected to the server to the address
http://10.10.10.10/RaDa/)
--gui (It shows
the form with options)
--cgiput
--tmpdir (It config
the temporary folder)
--verbose
--visible (It
shows the Internet Explorer when it is being connected)
--server var (it is configured to the server to the
direction var = http://x.x.x.x/Dir/)
--commands var (set
RaDa_commands.html and It tries to accede to a page in the server http://10.10.10.10/Rada/RaDa_commands.html)
--cgipath
--cgiget
--cycles var (configured
loop)
--help (It shows a
window of the Internet Explorer with the data of the authors)
--installdir (It
makes a copy of the BINARY one in the directory who indicates itself to him)
--noinstall (It
executes the binary one but it does not install it)
--uninstall (Uninstall
the binary one)
--authors (It
shows a Window with the authors of the Binary one)
4.- Identify and explain the binary
communication methods. Develop a Snort signature to detect this type of malware
being as generic as possible, so other similar specimens could be detected, but
avoiding at the same time a high false positives rate signature.
Communicates with
its Server using IP datagrams with the protocol. Communication is
connectionless, unauthenticated and unreliable. The protocol used is TCP in
port 80.
The Snort
signature, is not possible develop.
5.- To identify
and to Explain the techniques that it uses the binary one to be protected of
the analysis or of inverse engineering.
When analyzing the
head of the file one can notice the following observations:
- El offset “
- EL offset “
Revising
the head of the files generated with UPX (Ultimate Packer for eXecutables) we
find some similar chains in size to those that has the BINARY one. We proceeded
to substitute the characters UPX for JDR and we execute the application
upx.exe-d rada.exe decompressing completely.
It is
important to highlight that it is difficult to detect this type of
modifications to the files generated with UPX in most of the cases.
6.- Categorize
this type of Malware (Virus, worm,…) and justify your reasoning.
The BINARY is a
Trojan Horse. Because a Trojan Horse is a malware that performs unexpected or
unauthorized, often malicious, actions. The main difference between a Trojan
Horse and a virus is the inability to replicate. Trojan Horses cause damage,
unexpected system behavior, and compromise the security of systems, but do not
replicate. If it replicates himself, then it should be classified as a virus.
A Trojan Horse,
coincides from Greek mythology's Trojan horse, typically comes in good
packaging but has some hidden malicious intent within its code. When a Trojan
is executed users will likely experience unwanted system problems in operation,
and sometimes loss of valuable data.
7.- Identify
another tool that has demonstrated similar functionality in the past.
Well, I don’t know
tool, but yo supongo que hay
8.- Suggest
detection and protection methods to fight against the threats introduced by
this binary.
When speaking of
this type of binary, an proactive strategy goes has to allow to us to avoid
that our systems are infected. This is obtained through the configuration of
firewall, tools that detect modifications in the nonauthorized registry and
Systems of detection of intruders (IDS) able to detect attacks Syn-flood. This
is due to complement with policies of use, installation and handling of EXE
files.
It is very
important to count on policies of update of software since much of these tools
uses known failures to be able to harm the systems.
Bonus Question:
- Is it possible to interrogate the binary about
the person(s) who developed this tool? In what circumstances and under
which conditions?
Well, this BINARY one has a command argument
--authors. Through this argument it
shows a form with the names of the developers.
The commands to execute go to Start / Run /
C:\RaDa\Bin\Rada --authors.
- What advancements in tools with similar purpose
can we expect in the near future?
In a
next future, we will be able to be with tools of this type able to use
techniques concealment outposts that allow the binary one to avoid to be
detected easily, in addition to the use of complex methods but of protection
that avoid the analysis through reverse engineer.
It is
important to emphasize that also other components related to the binary one
will be had which made functions you specify for the operation and subsistence
of the binary one within the infected system, taking like techniques the
steganografics and the binary morphology (Change of Signature)
The
binary is the agent half of a distributed denial of service attack tool. The
following are notable points discussed in the analysis.
ü
Written and compiled in the MS Visual Basic 6 language
on a Windows.
ü
The binary one was protected with UPX and modified to
avoid that it was possible to be decompile and to be analyzed applying reverse
engineer.
ü
Communicates with its handler using IP datagrams with
the protocol. Communication is connectionless, unauthenticated and unreliable.
ü
Can perform syn flood on address 10.x.x.x, 192.168.x.x
and 172.16.x.x.
ü
It executes scripts to lower and to raise archives the
infected computer.
Note: Sorry, my
English is very bad. ;-)