See table for backdoor command and task reference this example

b. Encrypt the information collected using a custom encryption were the key used is derived from the result of GetTickCount API. The encrypted data will be encrypted again using a bitwise NOT. c. Generate a CRC hash value of the encrypted information.

[Listing 11 - Captured packet received by the client]

The server is now ready to accept backdoor commands from the remote attacker.

3.5 Backdoor Communication Protocol 0x01: Execution of Client-Server Commands

During the 3-way handshake process, we discovered that the Win32/Hydraq backdoor constructs a custom packet. This is a communication protocol designed so that the client and server can recog-nize each other over the network. The information header format is different from each end point.

Client Command Reference (DWORD)	Task (DWORD)	Start / End Flag (DWORD)	Size of Data sent (DWORD)	Data CRC (WORD)	Data Encryption Key (WORD)
00 00 00 00		01 00 00 00	B0 00 00 00	75 53	A1 00

Fields	Offset	Description
	0x00	This field is a reference used for identifying the group of a specific backdoor command.

	0x08	This field is a flag that signals the receiver start (1) or end (-1) of data.

	17

Fields	Offset	Description

Data CRC	0x10

Encrypted Data	0x14

[Figure 02 - The client process the server information header.]

The constructed information header is 20 bytes in size with the following format. (Note: The values in Table 03 are for illustration purpose)

Server Information Reference (DWORD)		Start / End Flag (DWORD)	Size of Data sent (DWORD)	Data CRC (WORD)	Data Encryption Key (WORD)
		01 00 00 00	B0 00 00 00	75 53	A1 00

The difference between the client and server header information is the Server Info Reference (off-set 0x00) and Information Code (offset 0x04). Based on our simulation and code inspection, the backdoor client uses the following numeric codes to identify the content of the received informa-tion: (Note: The Backdoor Command and Task is discussed in section Backdoor Command Table)

CA ISBU-ISI WHITE PAPER: IN-DEPTH ANALYSIS OF HYDRAQ	18

	Server Information Code (expected values)	Backdoor
	Server Information Code (expected values)	Command	Task
0x00	0x03	0x02	0x00
0x00	0x04	0x04	0x08
0x00	0x05	0x04	0x09	Read file information
0x00	0x06	0x07	0x0B	Receive VedioDriver
0x02	0x00	0x00	0x00
0x02	0x01	0x00	0x01
0x03	0x00	0x01	0x00
0x05	0x00	0x03	0x00
0x05	0x01	0x03	0x01	Registry keys
0x05	0x02	0x03	0x02	Deleted registry info
0x05	0x06	0x03	0x06
0x06	0x00	0x04	0x00
0x06	0x01	0x04	0x01
0x06	0x07	0x04	0x07
0x08	0x06	0x05	0x06	File CRC
0x09	0x01	0x06	0x01	File information
0x09	0x02	0x06	0x02
0x0C	0x02	0x08	0x00
0x14	0x04	0x09	0x01

3.6 Backdoor Command Reference

Aside from the malware code obfuscated with JMPs and NOPs, Win32/Hydraq also constructs a reference table that will be used by the Command Reference field found in the client’s informa-tion header to convert the actual commands.

	19

3. Match the value obtained in Step 2 in the Table 05 to get the Actual Command.

To elaborate on this further, let’s take an example where the remote attacker requests information about the logical drive of the compromised system.

Command Reference	Backdoor Command
0x00	0x00
0x01	0x01
0x02	0x02
0x03	0x03
0x04	0x04
0x05	0x0A
0x06	0x05
0x07	0x06
0x08	0x07
0x09	0x0A
0x0A	0x08
0x0B	0x0A
0x0C	0x0A
0x0D	0x0A
0x0E	0x0A
0x0F	0x0A
0x10	0x0A
0x11	0x0A
0x12	0x09

2.6 + (-2) = 4

[Table 05 - Backdoor Command Reference]

Command Reference	Backdoor Command
0x04	0x04

	20