Now that we have the password, you can type it into our IRC program and
try to establish a real communications channel with the backdoor. Obtaining a
basic list of supported commands is going to be quite easy. I’ve already men-
tioned a routine at 00403016 that appears to process the supported com-
mands. Disassembling this function to figure out the supported commands is
an almost trivial task; one merely has to look for calls to string-comparison
functions and examine the strings being compared. The function that does this
is far too long to be included here, but let’s take a look at a typical sequence
that checks the incoming message.0040308B PUSH ZoneLock.0040511B ; s2 = “?dontuseme”
00403090 LEA EAX,DWORD PTR SS:[EBP-200]
00403096 PUSH EAX ; s1
00403097 CALL <JMP.&CRTDLL.strcmp>
0040309C ADD ESP,8
0040309F OR EAX,EAX
004030A1 JNZ SHORT ZoneLock.004030B2
004030A3 CALL ZoneLock.00401AA0
004030A8 MOV EAX,3
004030AD JMP ZoneLock.00403640
004030B2 PUSH ZoneLock.00405126 ; s2 = “?quit”
004030B7 LEA EAX,DWORD PTR SS:[EBP-200]
004030BD PUSH EAX ; s1
004030BE CALL <JMP.&CRTDLL.strcmp>
004030C3 ADD ESP,8
004030C6 OR EAX,EAX
004030C8 JNZ SHORT ZoneLock.004030D4
004030CA MOV EAX,3
004030CF JMP ZoneLock.00403640
004030D4 PUSH ZoneLock.00405138 ; s2 = “threads”
004030D9 LEA EAX,DWORD PTR SS:[EBP-200]
004030DF PUSH EAX ; s1
004030E0 CALL <JMP.&CRTDLL.strcmp>See my point? All three strings are compared against the string from [EBP-
200];that’s the command string (not including the exclamation mark). There
are quite a few string comparisons, and I won’t go over the code that responds
to each and every one of them. Instead, how about we try out a few of the more
obvious ones and just see what happens? For instance, let’s start with the
!infocommand./JOIN ##g##
<attacker> !morris tounge
<attacker> !info
-iyljuhn- Windows 2000 [Service Pack 4]. uptime: 0d 18h 11m.
cpu 1648MHz. online: 0d 0h 0m. Current user: eldade.
IP:192.168.11.128 Hostname:eldad-vm-2ksrv. Processor x86
Family 6 Model 9 Stepping 8, GenuineIntel.302 Chapter 8