The file is programed in Visual basic 6.0 and contain a string reference that the version of the file is RaDa v 0.22.



            How does the tool work?


The RaDa.exe backdoor attacks with distributed denial of service (DDOS smurf) attack.

The backdoor connects to to 80 port and waits for the client conexion to be commanded.

When ready to receive the backdoor commands:

--verbose           verbose mode

--visible             Are visible or invisible

--server             server type

--commands      Give commands

--cgipath           Path of cgi

--cgiget             cgi get

--cycles            Number of cycles

--help                Give help about it

--installdir          Directory of installation

--noinstall          Not install

--uninstall          Unistall the backdoor

--authors           Give information and the name of the authors


The backdoor Create this entry in registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run . With this you can startup when reboot the machine.

Create those directories:




And this file which is a copy as the same file:



Use a utility fupload.vbs for upload/donload from  Copyright (C) 2001 Antonin Foller, PSTRUH Software”.

      The backdoor contain code to Scan all classes of network (A,B and C):




            And get information with a SQL consult

                        SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.


            The binary contain this macaddres inside the code:



The first of all when the backdoor is executed try to connect to

To read the backdoor configuration thath have information like this format:


<RaDa Current Configuration>


The backdoor levave from a high port biger than 1024 and conecto to IP in http (80) port.



            How can you detect the presence of such tools?


            1)If the process RaDa.exe are in memory.

            2)And in the firewall or IDS detect conecction to to 80 port


            How can you defend against such attacks?

I have deloped my own tool antiradar.exe, my tool do the following:

                 Kill the process

                 Delete the file and subdirectories

            Create a file C:\Rada. for the backdoor not create again a copy. And add this entrance in the registry:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

2) Editing the file Hosts. and adding this line at the end of the file:

Note: is the IP that the backdoor connect. With this line the backdoor can’t connect to original IP of the backdoor because we have redirect to local IP.

This is the same as blocking the IP10.10.10.10 to 80 port in the firewall or IDS.

3) With the snort singnature




            Related links


            DDoS smurf attack