Rustock Trojan A Model For Future Threats

Discussion in 'malware problems & news' started by ronjor, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    I did find a useful part of the PrevX Gromz tool with reguards Rustock infections.

    It saw(reported) and cleaned ADS dwelling rootkits(lzx32.sys,svchost.exe),in the case of Rustock A+B this allowed for cleaning of the rootkit out of ADS by the PrevX tool.It did'nt allow for retrieval like the latest version of RKU but still showed some overlap in behaviour between the 2 infections.

    Just for the record PrevX was not the only tool that could rip out Gromozon infection but they got all the publicity/pressed the right buttons and subsequently benefited from positive publicity in raised awareness of brand name etc.

    All i can say is fare play to Marco and the team :)

    TNT if you want Rustock sources to inspect/study drop me a PM with contact/upload email addy and you can make a full judgement for yourself on this malware :)

    EP_XOFF Do you have Rustock C yet and if so would you be willing to share it so others can inspect/study PE386's latest creation ?
     
  2. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Please show me the most advanced malware rootkit ;) Which one for example?

    I do not have such samples. Just older version of rustock.a and some reversed builds of rustock.b I think nobody doesn't have c variant, because nobody not find it yet :p

    btw, whats up with gmer.net? Is it really ddosed? :blink:
     
  3. Kaupp

    Kaupp Registered Member

    Joined:
    May 17, 2005
    Posts:
    59
    Hi Mrkvonic

    I would be interested in reading up on your method for using live CDs to find rootkits.

    Can you can provide a tutorial or point me to a site with the relevant info?

    Thanks in advance!

    Kaupp
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Ok, I've looked around and now I see. The people who're using Rustock are, in fact, the same people who were using Gromozon (which suddendly disappeared the second week of November, only to be replaced with this new thing). :doubt:
     
  5. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,

    Kaupp, you can save a log file that lists all folders and files on your C drive. Then boot from CD, do the same. Then compare the two for differences.

    Or visually inspect the most common locations like system32 etc.

    Plus Linux CDs like Helix and Knoppix have some very neat tools.

    UBCD4WIN also has a solid collection of tools that can be utilized.

    That said, I do not go about seeking rootkits like a madman.

    Mrk
     
  6. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Dude, keep in mind that MALWARE is not only rootkits. And because something is "invisible" when it runs that doesnt make it the most advanced malware at all.
     
  7. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Or malware at all. There are many legit programs / apps / processes that have invisible attributes.
    Mrk
     
  8. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    I suspect that those same people are the sameones that have been slipping malware into ADS for sometime now with a well known family of infections ;)
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    hm, yes, I noticed such kind of services.exe activity, bad, bad, bad.
    I´m wondering if it has something to do with ncobjapi.dll, msvcrt.dll or msvcp60.dll.

    :D :D :D

    still no reaction

    probably
     
    Last edited: Dec 17, 2006
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    I'm surprised Rustock C appears to be so elusive, as it seems to have been around for a while.


    StevieO
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Correct ansWer, Sir. :D

    One just wishes all the efforts these guys make in producing this kind of crap would go into something constructive instead. How they can look at theirselves in the mirror after using all their knowledge to make other people's life miserable is beyond me.
     
  12. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Why not? What you mean under advanced malware? That can be removed by AV with latest signatures? Only rootkits pretends on title - most advanced, all others simple joke programs. I have been collecting this "programmes" since 1992 and I want to say that most interesting samples always was rootkit-like (e.g. CIH). So I'm stay on my opinion.
     
  13. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Big hunt began. Who first get this sample - first getting also new technologies. I think driver will use similar with phide_ex hiding tricks.
     
  14. Kaupp

    Kaupp Registered Member

    Joined:
    May 17, 2005
    Posts:
    59
    Hi Mrkvonic

    That sounds perfect but I'm not sure of what program to use?

    Any suggestions would be appreciated!

    regards

    Kaupp
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    I think UBCD4WIN have something called 'Rootkitty' which does job as Mrkvonic stated.
     
  16. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    On the hunt:) Yes phide_ex not so easy but nothing is impossible - yes driver my thought exactly.
     
  17. zobi

    zobi Registered Member

    Joined:
    Nov 14, 2006
    Posts:
    4

    maybe he was thinking at virus like zmist and other stuff from the 29a ;)
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    Maybe but EP_XOFF was asking with reference to rootkit related malware and not malware in general or at least that is how i perceived the original question which was not answered...

    BTW original question to F-Prot God

    God's post almost resembled a typical politicians reply,lol
     
    Last edited: Dec 18, 2006
  19. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Rustock, probably most advanced of these rootkit capabilities and polymorphic. It requires highly complex detection and removal going beneth Rustock to extract it, not just standard av scanning. I think Rustock will be staying and prefected more and used for all sorts of different payloads;)
    Good patching and non vulnerable browser will help.
     
  20. Kaupp

    Kaupp Registered Member

    Joined:
    May 17, 2005
    Posts:
    59
    please disregard because I found the way to do it at the commandline

    dir /a:-d /b /s > filename.txt

    It showed two differences when I compared the files

    C:\System Volume Information\MountPointManagerRemoteDatabase
    C:\System Volume Information\tracking.log


    I don't think these files are anything to worry about but please someone correct me if I'm wrong.

    I'm just wondering if it is still possible for the sophisticated trojans like Rustock to remain hidden from the file comparsion?


    p.s. thanks for the info about Rootkitty, Meriadoc.
     
  21. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Exactly. I'm not anymore interested in user mode viruses/trojans and others third-party 'programmes'.
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    It doesn't matter what it is, the prevention is the same.

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
  23. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    10,213
    Hello,
    Kaupp, why do you think you have a rootkit? Why should you have it?
    Have you done anything that should result in an infection?
    Mrk

    P.S. I wouldn't lose too many hours of sleep if I were you.

    P.S.S. You should not get hung on a single item and decide the doomsday's come. It's usually a variety of symptoms together - changed performance, number of running processes, new items in scanners, crashes, BSODs etc. If you experience nothing, then why should you suspect anything?
     
  24. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Excuse me, where here you find something about prevention? Yep, you probably right (depends on what you mean under prevention), but here we talking not about prevention.
     
  25. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Why not?

    From the article posted by ronjor:

    If you prevent the first of the three duties, the other two are moot points. Why exclude this from the discussion? This is certainly of primary importance to many people.

    By "what you mean under prevention" I mean, don't let it install.

    regards,

    -rich


    ________________________________________________________________
    "Talking About Security Can Lead To Anxiety, Panic, And Dread...
    Or Cool Assessments, Common Sense And Practical Planning..."
    --Bruce Schneier​
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.