file is programed in Visual basic
6.0 and contain a string reference that the version of the file is
How does the tool work?
The backdoor connects to 10.10.10.10 to 80 port and waits for the client conexion to be commanded.
When ready to receive the backdoor commands:
--verbose verbose mode
--visible Are visible or invisible
--server server type
--commands Give commands
--cgipath Path of cgi
--cgiget cgi get
--cycles Number of cycles
--help Give help about it
--installdir Directory of installation
--noinstall Not install
--uninstall Unistall the backdoor
--authors Give information and the name of the authors
The backdoor Create this entry in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run . With this you can startup when reboot the machine.
Create those directories:
And this file which is a copy as the same file:
Use a utility fupload.vbs for upload/donload from “Copyright (C) 2001 Antonin Foller, PSTRUH Software”.
The backdoor contain code to Scan all classes of network (A,B and C):
And get information with a SQL consult
SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True
This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.
The binary contain this macaddres inside the code:
The first of all when the backdoor is executed try to connect to http://10.10.10.10/RaDa
To read the backdoor configuration thath have information like this format:
The backdoor levave from a high port biger than 1024 and conecto to IP 10.10.10.10 in http (80) port.
How can you detect the presence of such tools?
1)If the process
2)And in the firewall or IDS detect conecction to 10.10.10.10 to 80 port
How can you defend against such attacks?
I have deloped my own tool antiradar.exe, my tool do the following:
Kill the process
Delete the file and subdirectories
Create a file C:\
HKLM\Software\VMware, Inc.\VMware Tools\InstallPath
2) Editing the file Hosts. and adding this line at the end of the file:
Note: 10.10.10.10 is the IP that the backdoor connect. With this line the backdoor can’t connect to original IP of the backdoor because we have redirect to local IP.
This is the same as blocking the IP10.10.10.10 to 80 port in the firewall or IDS.
3) With the snort singnature
DDoS smurf attack