Rustock Trojan A Model For Future Threats

Nice article Ronjor.. and to think most people think us IT guys are just surfing

 

Good interesting article,disagree about Black light being advanced tool(there are better available if you try a few more out(GMER,RKU etc).

I have a url that drops Rustock A via exploit into ADS on NTFS based OS.If any experts require info then drop me a PM

Also the latest evo of Rootkit unhooker(RKU) will allow for the retrieval after uncovering of the malware file that is loaded into ADS.Very neat trick

 

Hello everyone.

I think I can shred some light on Rustock.A/B and this article. Since we from the same country with PE386 I will be devil's advocate

Wrong. It hooks SYSENTER instruction or 2e interrupt and making filtering of Zw registry related functions. Rustock.B (claimed as Rustock v1.2 inside binary) was really improved in this area. Now it's using splicing of SYSENTER hook. It allocates some memory in ntoskrnl and set's jump to it's driver. So It doesn't hooks API's. It hooks theirs handler. Files of this rootkit can be found via RAW disk reading, so nothing been patched here.

List of antirootkit signatures inside Rustock.B (v1.2) - DarkSpy, GMER, Blacklight, RkDetector, RootkitRevealer. How does it detect them? Very simple -> rootkit doing scan of executables from kernel mode and search for specific signatures of each of them. For example for GMER it is "gmer" string inside. Firewalls and Rustock working on different levels. Firewalls already getting data that was filtered by rootkit. They are playing in different leagues. Also it contains some special block that removes third-party spam-malware from affected computer. So - it is some kind of antivirus =)

It's simple have very many builds lol. Each time they begins crypted by PE386 personal cryptor and build becomes unknown for signatures scanners. True polymorphic code - Gromozon.

What about Blacklight - I see no problems in it bypassing. Too many PR about it and too weak in real life.

More to say. Next generation of Rustock will be improved in many times. Author keep updating it's technologies and algorithms, so I must to say - next release will be undetectable for any AV/Firewalls and antirootkit programs available today. Only external scan will help. I'm looking on this rootkit not like on malware - like on perfectly coded thing.

 

Thanks EX_0FF for the insight

 

Hello fcukdat

Can you please provide that URL link for me via 'pm'

Thank you.

 

Yep Correct.

 

Agree. The most advanced malware available today. Somebody already got Rustock.C ?

 

God I love my BartPE.

 

SirMalware :

Admin's best friend

 

Sounds bodyless.

 

Hello,
Add Linux CDs to that list.
When I wrote about discovering rootkits easily using live CDs a long time ago, on the far end of commentary, I even received some ridicule.
Mrk

 

I have some new science fiction for you Mrkvonic ;-)

PCI ROM ROOTKIT, I am not sure if it is allowed to post the link, but look at x solve.

Throw your linux cd into dustbin :-D

Linux will show a bit more then Windows, you will see a unknown device, but you can do nothing against it with your linux cd. At the most watching the logs of unknown things at boot up.

 

Hello,

SystemJunkie, I realize you have LOTS of fun with what you do. Honestly, I understand your passion.

If you place code outside operating system, like hardware periphers, bios, video card, sound card, network card etc, you will achieve that which you claim.

BUT:

These threats must be adapted to specific computer architecture, otherwise they won't work - which means a subtype for every hardware piece out there.
These threats must be installed somehow, and doing that from within the operating system sounds a bit unlikely.
Simple reflash of these devices will erase these threats.
Proof of concept in lab is one thing; reality is another.

I read what John Heasman and Joanna Rutkowska have to say. Very nice for making a PhD. But that's not the reality.

There is no malware sample that does that and is out there. The task is too complex to achieve.

Some quotes:

"Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent the system BIOS from being overwritten with unsigned updates."

From the article and paper: "(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise."

"Heasman, a researcher at Next-Generation Security Software, does not believe that such techniques will become commonplace."

Mrk

 

Worse than gromozon? Maybe... still, I doubt it... I read the last Virus Bulletin description of that one, and I still have nightmares. The worst thing is, this is not some proof-of-concept threat that was built by security experts to point out how far you can go, it was very real and very widespread (at least in Italy)...

 

Here is another link for PCI Rootkits.
Rootkits on your souncard, network card... anything is possible.

I saw other things, beside there are surely other manufacturers then only Intel and Phoenix and most mainboards nowadays have e.g. no BIOS protection!

 

Hello,
Most mainstream nowadays comps do have BIOS protection.
Mrk

 

BK, you've got it!!!

BTW slaps forehead i just remembered i have archived Rustock A + B droppers if you want to bypass the infection urls and go streight to the installer/dropper file

So if anyone wants Rustock dropper files,i need a contact email addy to send as zipped/passworded attachment.

 

No. 80% not.

 

Gromozon - good malware for prevx sales. Rustock real spam-bot malware that working in kernel mode only. So it most extended.

 

What the hell are you talking about? "Good malware for PrevX sales"? "So it most extended"? Give me a break. I've SEEN gromozon, I know what it does, I know how it works and I've seen HOW MANY people got infected. By the way, gromozon uses rootkit techniques as well.

I have no idea what you're trying to say with crap like "good malware for PrevX sales"... are you saying that PrevX created gromozon to sell? Funny, that's exactly what the kind of bull***t the creators of gromozon were trying to fool people with... are you by any chance familiar with them?

 

Guys you are going to total offtopic Gromozon and Rustock - are different rootkits.

 

I know... I am not familiar with Rustock. Only, since it's been labeled as "the most advanced malware" I was asking if anybody who's seen both thinks this is more "advanced" than gromozon (which I've seen quite a bit). Now, don't get me wrong... Rustock might be "worse", so to speak. But really, I have to see it to believe, since gromozon is an absolute nightmare for how deeply it goes into the system.

 

Well, I saw both in real action. On my machine =)

Gromozon - perfectly coded polymorphic engine. But it works only in user mode, hooks only user mode functions. Also it uses some undocumented features of file systems. It's actively blocking antirootkits program from start by searching specific words in captions and file version info blocks. That is too obvious for hidden thing. One thing what you need to remove it - simple start modern antirootkit program with low level disk access, ability to unhook hooked function. After this main morphed dll of gromozon can be wiped and rootkit is dying after reboot.

Rustock - another perfectly coded rootkit that works only in kernel mode but actively interacts with user mode (thread inside services.exe). Instead of gromozon it is not hooking API, its hooking API global handler. So here it most advanced. It's not preventing antirootkits programs from start - its stays totally hidden when they starting. In the begining only our program was able to detect rootkit driver. It's uses advanced signatures scanning to search antirootkits, counteract with Kaspersky klif.sys, hides it's presence in ADS so here it is undisputable most advanced malware. Main problem of Gromozon was that it was really easy to detect, just start something "antirk" and if it's not started then you have Gromozon Rustock real rootkit that hides it presence and counteracts with antirk - not denies it's start.

So, here I understand why peoples here (like Z0mBie for example) thinks that gromozon + prevx = love. What about my opinion about this - let's keep it in a secret

 

It is not. It is maybe one of the "most advanced malware" RECENTLY but it is not THE most advanced malware.