Honeynet Scan Of the Month 32 Questions and Answers
Author: Chris Eagle, cseagle
at nps d0t edu
A detailed analysis of RaDa.exe can be found
1. Identify and provide an overview of
the binary, including the fundamental pieces of information that would
in identifying the same specimen.
The program is a back door. When
executed on a victim machine, it
can take steps to install itself so that it is launched whenever the
system is started. The program has the capability of uploading or
to/from a designated remote web server. It also has the capability to
execute any command on the victim machine at the direction of a
controlling server. The last main feature is its ability to take screen
shots of the victim
machine at the direction of a controlling server. This particular
most easily identified by the embedded string:
"!This program is the binary of SotM 32.."
The program is compressed using the UPX compresser for executable files
in an attempt to make reverse engineering more difficult. As a
further measure, the UPX headers were changed in order to prevent UPX
being used to recover the original program.
2. Identify and explain the purpose of the binary.
It is a simple backdoor. Its purpose is
to provide a means of
controlling a remote computer.
3. Identify and explain the different
features of the binary. What are its capabilities?
The binary was protected (obfuscated)
using UPX and was further
corrupted to prevent UPX from being used to remove the protection. The
was written using Visual Basic and compiled to native x86 machine
The program makes use of an InternetExplorer.Application object to
based communications and a WScript.Shell object to interact with the
registry and the WMI interface. The program can install or uninstall
itself from a
victim computer. The program retrieves commands from a remote server
executes those commands on the victim computer. The program can be
commanded to download new files from a remote server, upload files from
the victim to a remote server, capture and save a screen shot of the
and execute any available program on the victim computer.
4. Identify and explain the binary
communication methods. Develop a Snort signature to detect this type of
malware being as generic as possible, so other similar specimens could
but avoiding at the same time a high false positives rate signature.
The binary downloads a specified
command file from a specified command
server using an InternetExplorer application object as the download
agent. The command file is parsed for form fields containing directives
that the program
carries out on the victim machine. The use of Internet Explorer to
conduct all remote communications may be helpful in bypassing host
based intrusion detection programs such as Black Ice, Zone Alarm, and
thw Windows Firewall because Internet Explorer is very likely to have
been granted permanent permission to establish outbound connections on
a given computer. Unlike many backdoor programs, this
program does not open any ports on the victim machine to accept
The following Snort rule triggers on an HTTP request being made for the
default command file used by the program: RaDa_commands.html
alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"BACKDOOR RaDa
command file access"; flow:to_server,established;
uricontent:"/RaDa_commands.html"; nocase; )
The program also triggers existing Snort rule 1:1481 on detection of
the default upload method of the program (access to upload.cgi). Sample
[**] [1:0:0] BACKDOOR RaDa command file access [**]
5. Identify and explain any techniques
in the binary that protect it from being analyzed or reverse
09/30-17:56:58.948173 192.168.0.36:1448 -> 192.168.0.202:80
TCP TTL:128 TOS:0x0 ID:12019 IpLen:20 DgmLen:393 DF
***AP*** Seq: 0xDD4AB355 Ack: 0xDF4C471C Win: 0x4470 TcpLen: 20
[**] [1:1481:4] WEB-CGI upload.cgi access [**]
[Classification: Attempted Information Leak] [Priority: 2]
09/30-17:57:00.949811 192.168.0.36:1449 -> 192.168.0.202:80
TCP TTL:128 TOS:0x0 ID:12026 IpLen:20 DgmLen:965 DF
***AP*** Seq: 0xDD52EEB4 Ack: 0xDFB7B818 Win: 0x4470 TcpLen: 20
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10290]
First the binary was packed with UPX.
Next the UPX headers were mangled
so that UPX could not be used to unpack the binary back to its original
UPX Scramble is one such tool that is capable of performing this task.
listing the author names (--authors command line argument) the program
attempts to determine if it is running within a VMWare virtual machine
by checking for the presence of the "HKLM\Software\VMware, Inc.\VMware
Tools\InstallPath" registry key and looking for any network interfaces
that have a VMWare
6. Categorize this type of malware
(virus, worm...) and justify your reasoning.
The program is a backdoor. When
installed on a victim computer, it
provides a remote controller the capability to execute arbitrary
commands on the victim. Unlike a trojan horse, it is not disguised in
to make it likely that a user would mistakingly execute it. It
does not require nor does it infect additional host files on the victim
computer and is
therefore not a virus. The program makes no attempt to attack and
to additional computers and is therefore not a worm. And while
the binary contains the string "Starting DDoS Smurf remote
attack...", there is no evidence to suggest that it is capable of doing
so, so it is not a DDoS agent.
7. Identify another tool that has
demonstrated similar functionality in the past.
Most irc bots (agobot, slackbot,
etc...) contain some of the backdoor
functionality contained by this program. Classic Windows backdoor
programs include Back Orifice and SubSeven. Obscure VisualBasic
that have appeared in the wild include (Symantec designations)
Fearic, Pointex, and Khaos.
8. Suggest detection and protection
methods to fight against the threats introduced by this binary.
One suggestion is to use alternative
web browsers such as Opera, or Mozilla/Firefox and then block Internet
Explorer from establishing outbound connections without user
approval. File scanning utilities such as anti-virus software
could alert when
obfuscated binaries are executed. Binaries such as these are often
detectable by examining their import tables. Users could be afforded
the opportunity to
allow or deny program continuation in a manner similar to the choices
offered by host
based firewalls. Registry change monitors could be used to
monitor and alert on changes to the keys commonly used for launching
malware such as HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Run as
used by this program. From a reverse engineering standpoint, efforts
need to be made
to make virtual machine environments less detectable to software
running within those environments.
* Is it possible to interrogate the
binary about the person(s) who developed this tool? In what
circumstances and under which conditions?
Yes it is possible using the following
* What advancements in tools with
similar purposes can we expect in the near future?
- Rada --help
- opens an Internet Explorer window
that displays a copyright notice with the authors names
- Rada --gui
- opens a gui panel containing
a copyright notice and the authors names Two buttons on the panel,
"Show config" and "Show usage" can be used to open an Internet Explorer
window similare to that of "Rada --help"
- Rada --authors
- The program checks to see whether
it is being run within a VMWare virtual machine and if it can't detect
VMWare it opens a message box
dialog that names the authors. Refer to
the analysis writeup for ways to defeat
the VMWare checks performed by
We can expect tools of this sort to:
- communicate in a more covert manner
- hide themselve using more difficult to detect methods
- perform more sophisticated checks for virtual machine environments
- use more sophisticated obfuscation techniques