You start out by joining the ##g##channel and saying the password. You
then send the “!info” command, to which the program responds with some
general information regarding the infected host. This includes the exact ver-
sion of the running operating system (in my case, this was the version of the
guest operating system running under VMWare, on which I installed the Tro-
jan/backdoor), and other details such as estimated CPU speed and model
number, IP address and system name, and so on.
There are plenty of other, far more interesting commands. For example, take
a look at the “!webfind64” and the “!execute” commands. These two
commands essentially give an attacker full control of the infected system.
“!execute” launches an executable from the infected host’s local drives.
“!webfind64” downloads a file from any remote server into a local directory
and launches it if needed. These two commands essentially give an attacker
full-blown access to the infected system, and can be used to take advantage of
the infected system in a countless number of ways.
Running SOCKS4 Servers
There is one other significant command in the backdoor program that I
haven’t discussed yet: “!socks4”. This command establishes a thread that
waits for connections that use the SOCKS4 protocol. SOCKS4 is a well-known
proxy communications protocol that can be used for indirectly accessing a net-
work. Using SOCKS4, it is possible to route all traffic (for example, outgoing
Internet traffic) through a single server.
The backdoor supports multiple SOCKS4 threads that listen to any traffic on
attacker-supplied port numbers. What does this all mean? It means that if the
infected system has any open ports on the Internet, it is possible to install a
SOCKS4 server on one of those ports, and use that system to indirectly connect
to the Internet. For attackers this can be heaven, because it allows them to
anonymously connect to servers on the Internet (actually, it’s not anony-
mous—it uses the legitimate system owner’s identity, so it is essentially a type
of identity theft). Such anonymous connections can be used for any purpose:
Web browsing, e-mail, and so on. The ability to connect to other servers anony-
mously without exposing one’s true identity creates endless criminal opportu-
nities—it is going to be extremely difficult to trace back the actual system from
which the traffic is originating. This is especially true if each individual proxy
is only used for a brief period of time and if each proxy is cleaned up properly
once it is decommissioned.
Clearing the Crime Scene
Speaking of cleaning up, this program supports a self-destruct command
called “!?dontuseme”, which uninstalls the program from the registry and
Reversing Malware 303