Dissecting RaDa malware

Mario Pascucci <ilpettegolo (a) yahoo it> http://ilpettegolo.altervista.org/

september 22, 2004
Analysis of RaDa malware for Honeynet Project's "Scan of the month" n.32

1. Setup

2. Analysis

3. Answers

1. Setup

In this section you find the tools and the procedures used for the RaDa malware analysis.

1.1 Tools used


a cross platform PC-emulator http://bochs.sourceforge.net/


THE sniffer, part of Linux Installation


GTK+ GUI version of VI Improved, that come with Linux installation


trivial hexadecimal dump of file, that come with Linux installation


extract ASCII strings from a file, that come with Linux installation


executable compressor/decompressor http://upx.sourceforge.net/


Open Source antivirus scanner http://clamav.sourceforge.net/

1.2 Preparing the sandbox

I setup on Bochs a virtual PC with Pentium processor, 128Mbytes of RAM, 1.2G of disk, NE2000 ethernet card, modem, standard VGA display. In that PC I successfully installed Windows 2000 Server Service Pack 1. The network is configured to be completely isolated from the rest of PCs in my lab, and a notebook with RedHat 9 is used for "simulate" DNS server, IRC server, HTTP server, a Samba server with open shares in the same network of the virtual PC. In the PC where is the simulated PC there is Ethereal, ready to capture.

1.3 Advantage of this method

It is a rudimental method of analysis, I know, but permits to quickly obtain information about the executable and about the operating methods of any malware. I use the same method to analyze some worm viruses captured in the wild. Without use disassembler, debugger and other tools in the infected machine, but all the tools are external to the "virtual PC" seen like a "black box". This method can be very useful if the malware is made to detect reverse engineering attempt with tools like IDA or most debugger. It's my opinion that it's not so hard that some future malwares will detect reverse engineering attempt, as some real viruses can detect antiviruses, firewalls, tools like Windows Task Manager and Registry Editor and can terminate it to avoid user "interferences".

This methods does not uses anything internal to the infected PC, and you can obtain some useful informations without "interfere" with the normal activity of the malware.

2. Analysis

The binary is packed with a modified-UPX. Clamav do not identify as threat, nor Kapersky online scanner. It appear with nice icon (blowfish), and properties like Company name: Malware and Internal Name: RaDa that made identification with antivirus scanner quite simple.

On start it make new directory called RaDa in the root of C: disk, with two sudirectories, bin and tmp. It also creates new registry key in HKLM/Software/Microsoft/Windows/CurrentVersion/Run as "RaDa" to start at the login of any user. After that it tries to connect to IP address port 80 (HTTP).

On the RedHat 9 notebook, I put a new IP alias in the interface with the command:

ifconfig eth0:1 inet netmask up

and start Apache, configured to listen on all interfaces.

After the start of Apache, the virtual PC tries the connection to web server and send this request:

GET /RaDa/RaDa_commands.html HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Accept-Language: it
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Connection: Keep-Alive

that fails as expected, the requested document doesn't exist.

I send a signal SEGV to Bochs, with the command:

killall -SEGV bochs<em> 

that cause bochs to terminate with a coredump, that contains a memory image of the virtual PC with the executing malware. Next I extract the ASCII strings with:

strings -a -tx core > RaDa.txt

and start to explore the string file opening it with Gvim. Searching for "RaDa" string results in finding these groups of chars:

Offset  String
5cff654 Command_install
5cff674 You can learn a lot playing funny security challenges
5cff6dc Command_usage
5cff6ec Command_exit
5cff6fc Command_conf
5cff71c Label1
5cff724 Label2
5cff72c Label3
5cff734 Command_go
5cff740 Command_uninstall

and more interesting:

Offset  String
5ec0dba Command_uninstall
5ec0dd0 Uninstall
5ec0df2 MS Sans Serif
5ec0e08 Command_install
5ec0e1c Install
5ec0e3c MS Sans Serif
5ec0e52 Command_exit
5ec0e63 Exit
5ec0e80 MS Sans Serif
5ec0e96 Command_usage
5ec0ea8 Show usage
5ec0ecb MS Sans Serif
5ec0ee1 Command_conf
5ec0ef2 Show config
5ec0f16 MS Sans Serif
5ec0f2c Command_go
5ec0f59 MS Sans Serif
5ec0f6f Label3
5ec0f7a (c) Raul Siles && David Perez
5ec0fb2 Comic Sans MS
5ec0fc8 Label2
5ec0fd3 SotM 32 - September 2004

Trying to launch rada.exe with an argument (i.e. /help) shows an Internet Explorer window (without toolbars, menu and status bar) with some strings like the URL of the Scan of the Month website. Those strings didn't appear in the strings command generated file. Then I create an hexdump of the corefile with:

hexdump -C core > RaDa.hex

and and open it with Gvim, start searching string like: h<any char>o<any char>n<any char>e, and I found some interesting Unicode strings:


Trying to pass this arguments to rada.exe on the command line causes some interesting results:


do not install registry key to autostart, nor install RaDa in c:\RaDa directory tree.


starts RaDa in GUI mode.

--tmpdir path

accept an argument as path to tmp directory (Default c:\RaDa\tmp)

--installdir path

accept an argument as pat to install the binary


delete registry key in HKLM/...../Run for autostart and RaDa.exe from c:\RaDa\bin, do not remove directories.


shows a IExplorer window with some help (only a sort of About. for now)


made visible an IExplorer window with the HTML page downloaded from

--commands file.html

changes the HTML file name from the default RaDa_commands.html

--server http://new.server.or.ip/directory/

change both server and directory in WEB server from the default


shows a MessageBox dialog with authors' names (RAul and DAvid, first letters used for the name of the executable)

--period int

time in seconds between attempt to read command file from server.

--cycles int

number of time to repeat the download/execute cycle (default forever=0)

--cgipath string

sets path for cgi script on server (Default cgi-bin)

--cgiput string

name pf upload script (default upload.cgi)

--cgiget string

name of downolad script (default download.cgi)

There are some other interesting strings:

Starting DDos Smurf remote attack

HKLM\Software\VMware, inc.\VMware Tools\Install\Path

3. Answers

I wasn't able to obtain more data and information with this method. But I'll try to reply to SotM questions.

1. Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.

It's a compressed executable, made with a variant of UPX. It contain, even in the compressed form, some byte sequences that mades simple the identification by signature, like the string "Malware" in the Company Name property and the blowfish icon.

2. Identify and explain the purpose of the binary.

The binary installs itself and start to query for special made html page where, I think, it finds instruction to execute, as special keywords or VBS script, as I think about the string "wscript" contained in the esecutable.

3. Identify and explain the different features of the binary. What are its capabilities?

It has some interesting ability:

From this capabilities, it seems to be ready to transform the infected computer as "zombie" to launch attack to other computer in the network. Again, it seem to be able to "stole" data and information from the infected computer, transferring files to remote computer. There is a string in the executable "screenshot" that if it is a command like the name suggests, it can take a screenshot of the desktop and sends it to remote computer.

4. Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.

It use normal HTTP protocol. It may be very difficult to develop a signature, because the server and the "get" string can be modified to any combination. It can be useful if the malware always start to connect every time to the same server and after that it changes the target for subseguent queries. In this case, it can be useful to develop a Snort signature to intercept http requests to server port 80 and a GET request to the URL RaDa/RaDa_commands.html, something like:

alert tcp $HOME_NET any -> any $HTTP_PORTS (msg:"RaDa Malware infected client tries to reach server to get commands"; uricontent:"RaDa/RaDa_commands.html"; nocase; flow:from_client,established; classtype: misc-activity; rev:1;)

Of course, in the real world the malware tries to connect to a server with public address, other than 10.x.x.x, 192.168.x.x and 172.16-31.x.x (RFC1918 private addresses), and you can change the rule for destination from "any $HTTP_PORTS" to "$EXTERNAL_NET $HTTP_PORTS" for proper detection.

5. Identify and explain any techniques in the binary that protect it from being analyzed or reverse engineered.

The malware adopt a method widely used in most of the worms/trojans that infests Internet at this moment, like Gaobot, Agobot, SDbot and so on. It use a modified executable packer, to avoid decompress. In most cases, malwares uses more than one executable packer, to harden the decompression. In this case, most antivirus scanners identify the RaDa executable as UPX packed, but UPX is unable to decompress it.

6. Categorize this type of malware (virus, worm...) and justify your reasoning.

I think that the best category for this malware may be a backdoor/bot. Is not properly a virus, because it seems to not have self replicating or infecting code. It isn't a worm, because do not use network to spread itself, not directly. It isn't a trojan, because it don't have appearance of "useful" program to the user, to induce the user to activate himself.

It can be a point of access to the infected PCs, like a backdoor, and it can execute some simple tasks in automatic mode, controlled from a remote "owner", like a bot. The advantage of this kind of backdoor is that it works even if the infected PC is behind a firewall.

7. Identify another tool that has demonstrated similar functionality in the past.

This is my first Scan of the Month appearance, and I don't know previous "tools" analyzed. But looking in the past challenges in Honeynet website, I found some (very little) similarities with the malware in the "Reverse Challenge".

8. Suggest detection and protection methods to fight against the threats introduced by this binary.

There are various methods to detect the infections:

3.1 Bonus Questions

Is it possible to interrogate the binary about the person(s) who developed this tool? In what circumstances and under which conditions?

Yes, using one of this command lines:

c:\rada\bin\rada --authors
c:\rada\bin\rada --help

or using a default behavior with wrong argument:

c:\rada\bin\rada wrongoption

that shows an IExplorer window with authors, or using the GUI interface:

c:\rada\bin\rada --gui

where the authors are in bold. Strange malware, indeed...

I also found the string using the method described in Analysis paragraph. You can see some screenshots of the dialogs and the IExplorer window following this links:


What advancements in tools with similar purposes can we expect in the near future?

Some of the possible improvements of this kind of malwares are already used in most of the Internet worms as SDbot, Spybot (the worm, not the anti-spyware utility), Gaobot and similar. Most of this uses these strategy and methods to both avoid detection and removal:

These malwares shows also a good number of methods to spread themselves to more PCs as possible. A Gaobot variant uses six different vulnerabilities of Windows, two of Internet Information Server and one of MS SQL server, and use Windows disk shares with weak password to propagate, if noone of the exploits works.

After the infection, these worms connects to an IRC server as bot and wait for orders from it. They are able to launch a wide variety of network DDoS attacks, counting on large number of infected machines. And also are capable to get any files from infected PCs. Some of them are able to launch any command or reboot the PC. Or they have the ability to send mail to any address collected from the infected PCs. They have network sniffing capability also.

These malwares are designed to do more things, all dangerous, and all to the orders of the "owner" of the worm.

I think that the last released patch and Service Packs will help to lower the threat, but too many user ignore the danger.