Compilation date: 08:12:31 27.12.2018
- 314b259739f4660e89221fa2e8990139a84611a9 (CMD_UDP_DLL.dll)
It is a backdoor for Microsoft Windows operating systems. It allows attackers to remotely control infected computers by implementing remote shell functions — launching cmd.exe and redirecting the I/O to the attacker's C&C server. The trojan is written in C++; the pdb file with debugging information when compiled on the attacker's computer was located at C:\VS2010\CMD_UDP_Server\Release\CMD_UDP_DLL.pdb.
BackDoor.CmdUdp.1 has the following exported functions:
??0CCMD_UDP_DLL@@QAE@XZ ??4CCMD_UDP_DLL@@QAEAAV0@ABV0@@Z ?fnCMD_UDP_DLL@@YAHXZ ?nCMD_UDP_DLL@@3HA LoadProc ServiceMain
Once on the target computer, the backdoor can work with or without being installed on the system. In the first case, the ServiceMain function is exported; in the second case, the LoadProc function is exported. To provide its autorun, the backdoor is installed on the system as a service. Every 3 minutes BackDoor.CmdUdp.1 sends the message hello to the C&C server tv.teldcomtv.com:8080 and waits for further commands.
Communication with the server is performed over the UDP Protocol. In response the server can send one of several control words to the trojan:
The «hello» command
When this command is received, the backdoor starts the cmd.exe process. In this case, the input and output of the command-line interpreter are redirected to 2 anonymous pipes. If the process is created successfully, the cmd OK message is sent to the server. In addition, a thread is started in which the trojan will send data from the stdout/stderr of the cmd.exe process to the server. If the backdoor fails to run cmd.exe, it notifies the server by sending cmd err.
The «world» command
This command stops the cmd.exe main running thread for 1 second.
The «exit» command
This command terminates the previously created cmd.exe process. If the server response does not contain any of the three specified commands, its contents are sent to cmd.exe for execution.