00402D96 LEA EAX,DWORD PTR SS:[EBP-260]
00402D9C PUSH EAX ; s
00402D9D CALL <JMP.&CRTDLL.sprintf>
00402DA2 ADD ESP,14
00402DA5 JMP SHORT ZoneLock.00402DC5
00402DA7 PUSH ZoneLock.004050B0 ; <%s> = “##g##”
00402DAC PUSH ZoneLock.004051A3 ; <%s> = “JOIN”
00402DB1 PUSH ZoneLock.004054BE ; format = “%s %s”
00402DB6 LEA EAX,DWORD PTR SS:[EBP-260]
00402DBC PUSH EAX ; s
00402DBD CALL <JMP.&CRTDLL.sprintf>In the preceding sequence, the first sprintfwill only be called if the server
sends an MOTD, and the second one will be called if it doesn’t. The two com-
mands both join the same channel: ##g##, but if the server has an MOTD the
channel will be joined with the password grandad. At this point, you can start
your initial communications with the program by pretending to be the
attacker and joining into a channel called ##g##on the private IRC server. As
soon as you join, you will know that your friend is already there because other
than your own nickname you can also see an additional random-sounding
name that’s connected to this channel. That’s the Backdoor program.
It’s obvious that the backdoor can be controlled by issuing commands inside
of this private channel that you’ve established, but how can you know which
commands are supported? If the information you’ve gathered so far could have
been gathered using a simple network monitor, the list of supported commands
couldn’t have been. For this, you simply mustlook at the command-processing
code and determine which commands our program supports.
Communicating with the Backdoor
In communicating with the backdoor, the most important code area is the one
that processes private-message packets, because that’s how the attacker con-
trols the program: through private message. It is quite easy to locate the code
in the program that checks for a case where the PRIVMSGcommand is sent
from the server. This will be helpful because you’re expecting the code that fol-
lows this check to contain the actual parsing of commands from the attacker.
The code that follows contains the only direct reference in the program to the
PRIVMSGstring.
00402E82 PUSH DWORD PTR SS:[EBP-C] ; s2
00402E85 PUSH ZoneLock.0040518A ; s1 = “PRIVMSG”
00402E8A CALL <JMP.&CRTDLL.strcmp> ; strcmp
00402E8F ADD ESP,8
00402E92 OR EAX,EAX
00402E94 JNZ ZoneLock.00402F8F
00402E9A PUSH ZoneLock.004054A7 ; s2 = “ :”Reversing Malware 299