Rustock Trojan A Model For Future Threats

You know, i was alerting people to the possibility that malware and rootkits could take advantage of and hide code in the ADS several years ago. But mostly everybody said it was nothing to be concerned about, as it was just a remote possibility and probably would never happen. And why would they bother when there are easier ways to do things.

Well there are much easier ways, but the whole point was this would be a very neat solution for them, as tracking down hidden files is a lot harder to do.

Seems somebody was listening any way !


StevieO

 

Gromozon team is pretty linked to DialCall team, the last one is using Rustock.B rootkit. When Gromozon team disappeared, even DialCall servers disappeared for a couple of days, then both re-appeared and old gromozon infction websites sometimes redirect to DialCall infection.

 

Yeah, most of them do... somehow I didn't immediately connect the name Rustock to this infection but yeah, this rootkit is closely related to Gromozon and some time ago they were both on the well known NetcatHost domains.

I know that for some time they've been around both at the same time, but the Rustock was mainly loaded through spammed e-mails that redirected to geocities page (which in turn had an iframe to 195.225.176.34), whereas Gromozon was loaded through bogus pages that tried to rank high on search engines. It seems only recently Gromozon disappeared and most of the previous gromozon redirection pages now redirect to this malware (which is now on 81.29.241.232, btw).

 

That is the trouble with rootkits is it not?,they are so good at hiding from the user and anti-malware software that you will never experience thier presence.

I don't think I'm paranoid I'm just interested to learn better techniques in discovering possible rootkit infections.

kind regards

Kaupp

 

But only the best 30%,
70% of them are easy to detect.

THe problem is that the 30% will spread more and more in future.

 

Yesterday i grabbed an infection c/o one of my driveby sources and gave PrevX tool first bite at the infection and heres the log generated.

Like i said earliar in the thread the PrevX Gromozon tool also whacks Rustock A/B out of ADS so at least we know for 2 tools capable of cleaning Rustock current incarnations insitu


Hey EP_XOFF
RKU missed the *other* ADS stream but did see Hide_evr2.sys and hidden payload in C:/WINDOWS which were part of the imported infection

 

Ah, I see what you are saying but there will be signs that give them up as I think Mrkvonic was conveying.

Yes, and that is good, we are all always learning
If you know what to look for you can simply use WinDbg.

 

C:\WINDOWS\System32:svchost.exe:$DATA
Please give us the link to that malware. Probably some kind of bug here or in PrevX.

 

This found once in filemon:

02:58:33 services.exe:592´READ C: * 0xC0000185 Offset: 196608 Length: 32768

Strange services.exe activity.

 

And what about ADinf32 (Pro) ?
https://www.wilderssecurity.com/showthread.php?t=72131

From the help-file:

It might be old, but ...

 

I want to test Rustock.B with Adinf 3.02 Pro today. Wait for results.

 

Interesting. Curious. onto review same results when available.

 

Well what can I say? Adinf was good in 1999, maybe in 2002. Now it is "not good". Still can monitor file changes but NTFS ADS is not supported. Adinf can't detect files dropped in ADS as well it can't check them. So for modern malware it is totaly useless.

 

Says enough for me. Thanks EP_XOFF for results.

 

I also used adinf some months ago, but if you look exactly it makes lots of false positives in my opinion, I also got message like stealth virus in bios, maybe you remember the thread ACPI Bios Rootkit.

I am not sure, but I thought it also has a relation to drweb and if you know drweb av, then you know that it is the worst heuristic ever in terms of false positives, it even detect aol or parts of aim as possible backdoor, this guy from dr.web should really revise his oldschool av engine.

Same thing with oldschool adinf32 I guess.

Exactly.

Beside: Adinf even alarms when e.g. setupapi.log changes or any other log, I guess it is usual that logs are changing, :-D ;-D

 

DrWeb soon will release v5.0, maybe something is cardinaly changed. In comparison to Kaspersky - Drweb or Adinf looks really like "old-school" (win2k maximum).

 

What about lads.exe?

http://www.heysoft.de/Frames/f_sw_la_en.htm

I ran a simple test and it found them. I don't know about sophisticated malware, though.

 

It is ADS lister. Just like streams from Mark Russinovich.

 

Is that good or bad?

 

Rustock using filtering of API requests, so it's invisible in Windows API that are used to enumerate ADS in programs such as streams. RAW implementation can deal with Rustock (or calls from kernel mode).

But you can try and test this ADS lister with Rustock.B

 

Oh well, they moved the malware to 81.29.241.231... (by the way, for the security vendors out there, the files are in the directories):

hxxp://81.29.241.231/user2/bond00(numbers from 81 to 90)/service32.exe
hxxp://81.29.241.231/user2/bond0(numbers from 171 to 270)/service32.exe

These are the infection starters, the Rustock.B rootkit is picked up from the infection later on...

 

Thankyou for sharing & kudo's TNT for the info,it all helps

I have put some of the collected malwares up on MIRT malware listserve for widespread distribution.

Winsys32 was the Rustock B dropper in a couple of runs i had at the infection yesterday inorder to collect files for uploading.

 

Add Trend Micro RKbuster to the list of current Rustock RK killers
https://www.wilderssecurity.com/showthread.php?p=907977#post907977

 

Damn this tool is cool! Better then Gmer in terms of detecting friendly and hostilely hooks! Great. Never thought that Trend Micro would be able to create such a cool thing.

 

RootkitBuster === AVG Antirootkit === Avira Antirootkit === Sophos Antirootkit === BlackLight === BitDefender Antirootkit

I see no difference between them and they all are weak.