See table for backdoor command and task reference this example
b. Encrypt the information collected using a custom encryption were the key used is derived from the result of GetTickCount API. The encrypted data will be encrypted again using a bitwise NOT. c. Generate a CRC hash value of the encrypted information.
[Listing 11 - Captured packet received by the client]
The server is now ready to accept backdoor commands from the remote attacker.
3.5 Backdoor Communication Protocol 0x01: Execution of Client-Server Commands
During the 3-way handshake process, we discovered that the Win32/Hydraq backdoor constructs a custom packet. This is a communication protocol designed so that the client and server can recog-nize each other over the network. The information header format is different from each end point.
Client Command Reference (DWORD) |
|
Start / End Flag (DWORD) |
Size of Data sent (DWORD) |
Data CRC (WORD) |
Data Encryption Key (WORD) |
---|---|---|---|---|---|
|
01 00 00 00 | B0 00 00 00 | 75 53 | A1 00 |
Fields | Offset | Description |
---|---|---|
|
|
|
|
|
17 |
---|
Fields | Offset | Description |
---|---|---|
|
|
|
|
|
[Figure 02 - The client process the server information header.]
The constructed information header is 20 bytes in size with the following format. (Note: The values in Table 03 are for illustration purpose)
Server Information Reference (DWORD) | Start / End Flag (DWORD) |
Size of Data sent (DWORD) |
Data CRC (WORD) |
Data Encryption Key (WORD) |
|
---|---|---|---|---|---|
01 00 00 00 | B0 00 00 00 | 75 53 | A1 00 |
The difference between the client and server header information is the Server Info Reference (off-set 0x00) and Information Code (offset 0x04). Based on our simulation and code inspection, the backdoor client uses the following numeric codes to identify the content of the received informa-tion: (Note: The Backdoor Command and Task is discussed in section Backdoor Command Table)
|
18 |
---|
Server Information Code (expected values) |
Backdoor | |||
---|---|---|---|---|
Command | Task | |||
0x00 | 0x03 | 0x02 | 0x00 | |
0x00 | 0x04 | 0x04 | 0x08 | |
0x00 | 0x05 | 0x04 | 0x09 |
|
0x00 | 0x06 | 0x07 | 0x0B |
|
0x02 | 0x00 | 0x00 | 0x00 | |
0x02 | 0x01 | 0x00 | 0x01 | |
0x03 | 0x00 | 0x01 | 0x00 | |
0x05 | 0x00 | 0x03 | 0x00 | |
0x05 | 0x01 | 0x03 | 0x01 |
|
0x05 | 0x02 | 0x03 | 0x02 |
|
0x05 | 0x06 | 0x03 | 0x06 | |
0x06 | 0x00 | 0x04 | 0x00 | |
0x06 | 0x01 | 0x04 | 0x01 | |
0x06 | 0x07 | 0x04 | 0x07 | |
0x08 | 0x06 | 0x05 | 0x06 |
|
0x09 | 0x01 | 0x06 | 0x01 |
|
0x09 | 0x02 | 0x06 | 0x02 | |
0x0C | 0x02 | 0x08 | 0x00 | |
0x14 | 0x04 | 0x09 | 0x01 |
3.6 Backdoor Command Reference
Aside from the malware code obfuscated with JMPs and NOPs, Win32/Hydraq also constructs a reference table that will be used by the Command Reference field found in the client’s informa-tion header to convert the actual commands.
19 |
---|
|
|
|||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|
Command Reference | Backdoor Command |
---|---|
0x04 | 0x04 |
20 |
---|