Abstract

††††††††††† Details

The file is programed in Visual basic 6.0 and the version of the backdoor is RaDa v 0.22.

 

††††††††††† Recommendations

1)I have deloped my own tool antiradar.exe, my tool do the following:

†††††††††††††††† Kill the process

†††††††††††††††† Delete the file and subdirectories

††††††††††† Create a file C:\Rada. for the backdoor not create again a copy. And add this entrance in the registry:

HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

2) Editing the file Hosts. and adding this line at the end of the file:

127.0.0.1††††††††† 10.10.10.10

Note: 10.10.10.10 is the IP that the backdoor connect. With this line the backdoor canít connect to original IP of the backdoor because we have redirect to local IP.

This is the same as blocking the IP10.10.10.10 to 80 port in the firewall or IDS.

3) With the snort singnature

 

†††††††††††

††††††††††† How does the tool work?

 

The RaDa.exe backdoor attacks with distributed denial of service (DDOS smurf) attack.

The backdoor Create a entry in registry with this you can startup when reboot the machine.

††††††††††† And get information with a SQL consult

††††††††††††††††††††††† SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

This returns a collection consisting of all the network adapter configurations on the computer for which IP is enabled.

The first of all when the backdoor is executed try to connect to http://10.10.10.10/RaDa

To read the backdoor configuration

The backdoor conecto to IP 10.10.10.10 in http port.

Related links

 

††††††††††† DDoS smurf attack

††††††††††††††††††††††† http://www.pentics.net/denial-of-service/white-papers/smurf.cgi

††††††††††††††††††††††† http://securityresponse.symantec.com/avcenter/venc/data/smurf.dos.attack.html