Rustock Trojan A Model For Future Threats

Discussion in 'malware problems & news' started by ronjor, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Here is a gift for very professional and sophisticated GMER author. Wonderful Vista support of your latest (12.04) build. Immediatelly BSOD after start.

    Awaiting further sarcastic statements from you, "friend".

    Code:
    Loading Dump File [C:\MEMORY.DMP]
    Kernel Summary Dump File: Only kernel address space is available
    
    Symbol search path is: *** Invalid ***
    ****************************************************************************
    * Symbol loading may be unreliable without a symbol search path.           *
    * Use .symfix to have the debugger choose a symbol path.                   *
    * After setting your symbol path, use .reload to refresh symbol locations. *
    ****************************************************************************
    Executable search path is: 
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
    Windows Vista Kernel Version 6000 UP Free x86 compatible
    Product: WinNt, suite: TerminalServer SingleUserTS
    Built by: 6000.16386.x86fre.vista_rtm.061101-2205
    Kernel base = 0x81800000 PsLoadedModuleList = 0x81911db0
    Debug session time: Wed May  9 15:24:52.174 2007 (GMT+8)
    System Uptime: 0 days 0:01:28.893
    *********************************************************************
    * Symbols can not be loaded because symbol path is not initialized. *
    *                                                                   *
    * The Symbol Path can be set by:                                    *
    *   using the _NT_SYMBOL_PATH environment variable.                 *
    *   using the -y <symbol_path> argument when starting the debugger. *
    *   using .sympath and .sympath+                                    *
    *********************************************************************
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntkrpamp.exe - 
    Loading Kernel Symbols
    ....................................................................................................................................
    Loading User Symbols
    PEB is paged out (Peb.Ldr = 7ffde00c).  Type ".hh dbgerr001" for details
    Loading unloaded module list
    .......
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    Use !analyze -v to get detailed debugging information.
    
    BugCheck 50, {f884cfb8, 0, 8198e897, 2}
    
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
    
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
    
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: nt!_KPRCB                                     ***
    ***                                                                   ***
    *************************************************************************
    Page 313c4 not present in the dump file. Type ".hh dbgerr004" for details
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for win32k.sys - 
    *** ERROR: Module load completed but symbols could not be loaded for gmer.sys
    Probably caused by : gmer.sys ( gmer+5bae )
    
    Followup: MachineOwner
    ---------
    
    kd> !analyze -v
    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************
    
    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: f884cfb8, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: 8198e897, If non-zero, the instruction address which referenced the bad memory
    	address.
    Arg4: 00000002, (reserved)
    
    Debugging Details:
    ------------------
    
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
    
    ***** Kernel symbols are WRONG. Please fix symbols to do analysis.
    
    *************************************************************************
    ***                                                                   ***
    ***                                                                   ***
    ***    Your debugger is not using the correct symbols                 ***
    ***                                                                   ***
    ***    In order for this command to work properly, your symbol path   ***
    ***    must point to .pdb files that have full type information.      ***
    ***                                                                   ***
    ***    Certain .pdb files (such as the public OS symbols) do not      ***
    ***    contain the required information.  Contact the group that      ***
    ***    provided you with these symbols if you need this command to    ***
    ***    work.                                                          ***
    ***                                                                   ***
    ***    Type referenced: nt!_KPRCB                                     ***
    ***                                                                   ***
    *************************************************************************
    
    MODULE_NAME: gmer
    
    FAULTING_MODULE: 81800000 nt
    
    DEBUG_FLR_IMAGE_TIMESTAMP:  461e2e19
    
    READ_ADDRESS: unable to get nt!MmSpecialPoolStart
    unable to get nt!MmSpecialPoolEnd
    unable to get nt!MmPoolCodeStart
    unable to get nt!MmPoolCodeEnd
     f884cfb8 
    
    FAULTING_IP: 
    nt!RtlVolumeDeviceToDosName+14
    8198e897 8b472c          mov     eax,dword ptr [edi+2Ch]
    
    MM_INTERNAL_CODE:  2
    
    DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
    
    BUGCHECK_STR:  0x50
    
    LAST_CONTROL_TRANSFER:  from 8188fa74 to 818a9ef2
    
    STACK_TEXT:  
    WARNING: Stack unwind information not available. Following frames may be wrong.
    93d56f7c 8188fa74 00000000 f884cfb8 00000000 nt!NtBuildGUID+0x4f4e
    93d57018 904ed598 00000154 93d57563 00000010 nt!Kei386EoiHelper+0x271c
    93d57864 93c5bbae f884cf8c 93d57880 853e6788 win32k!EngTextOut+0xd04
    93d57968 93c5bcdb 84ed6b45 853e6788 00000820 gmer+0x5bae
    93d57a90 93c56ef5 8521a1c0 853e6788 00000820 gmer+0x5cdb
    93d57bd0 93c578ee 85ce6c40 853e6788 00000004 gmer+0xef5
    93d57bf8 93c57d59 85ce6c40 853e6788 00000004 gmer+0x18ee
    93d57c2c 81827ecf 85dedc20 853e6788 85c57b58 gmer+0x1d59
    93d57c44 81988f65 85ce6c40 85c57b58 85c57bc8 nt!IofCallDriver+0x64
    93d57c64 81989f25 85dedc20 85ce6c40 0012ab00 nt!IoIsFileObjectIgnoringSharing+0x344d
    93d57d00 8198ee8d 85dedc20 85c57b58 00000000 nt!IoIsFileObjectIgnoringSharing+0x440d
    93d57d34 8188c96a 00000144 00000000 00000000 nt!NtDeviceIoControlFile+0x2a
    93d57d64 77500f34 badb0d00 0012aaac 00000000 nt!KeReleaseInStackQueuedSpinLockFromDpcLevel+0xba2
    93d57d68 badb0d00 0012aaac 00000000 00000000 0x77500f34
    93d57d6c 0012aaac 00000000 00000000 00000000 0xbadb0d00
    93d57d70 00000000 00000000 00000000 00000000 0x12aaac
    
    
    STACK_COMMAND:  kb
    
    FOLLOWUP_IP: 
    gmer+5bae
    93c5bbae a3e843c693      mov     dword ptr [gmer+0xe3e8 (93c643e8)],eax
    
    SYMBOL_STACK_INDEX:  3
    
    FOLLOWUP_NAME:  MachineOwner
    
    IMAGE_NAME:  gmer.sys
    
    SYMBOL_NAME:  gmer+5bae
    
    BUCKET_ID:  WRONG_SYMBOLS
    
    Followup: MachineOwner
    ---------
    
     
  2. EASTER.2010

    EASTER.2010 Guest

    I hate to disappoint you but my configuration IS NOT exactly that you refer it is. On the exact contrary, FYI, i can close my only "3" defense shields and your program still flickers like the lightning bugs that fly-the-night air here in the summer. That behavior was so very indicative of 98 programs and not seen since then untill gmer.

    I have dismissed your program as well as any further discussion or attention to it since it's utterly futile to arrive at any reasonable explaination by you other than CANNED RESPONSES and look forward to more innovative & creative additions to RKUnhooker. :thumb:

    CASE CLOSED:

    Nothing personal, i just know better now to not expect anything useful & to look away from it. :thumbd:
     
    Last edited by a moderator: May 9, 2007
  3. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Ouch, Gmer speed up your development, don´t give up. :cool: :D :cool: :D :cool:

    And please do me one favor: Polymorphic EXE File otherwise anyone can shut down your little tool.
    (or at least an option to create polymorphic Gmer-Exe, which might be better in some case)
     
  4. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    ... especially when you want to catch "legendary" rootkits :thumb:

    You are right, all this stuff ( including "modern" ARKs ) is little old

    http://www.securiteam.com/windowsntfocus/3H5PQS0N5G.html

    Keep enjoy :)

    :thumb: "cat & mouse"

    @EASTER.2010
    Once again thanks for your feedbak ! I really appreciate your effort .

    @fcukdat
    You have your target "rstk" - "All your new malware are belong to us" ;)
     
  5. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Yes really LOL statement from Gmer, also this answer with quote is very funny indeed.

    Yeah dear friend, keep thinking so, keep smile, you have nothing else to say.

    So, when you plan your secondary PR-DDoS? I asking this officially, even send you email from your site. Still no asnwer.

    Huh? In theory, "friend", in theory.

    He-he-he, really funny.

    And BTW nice Vista BSOD'ing :)
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    :cool: :cool: :cool: :D :D :D I´ll keep enjoying.

    Yes, already 1998, in this year it was my first contact with internet.

    But I doubt that we only talk about streams, there must be a bit more,
    only my assumption.
     
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    @gmer

    In the end, to stop sarcastics statements here (I hope, it is almost up to gmer):

    - stop joking when you have nothing to say
    - your level of knowledge probably to advanced, so I simple do not understand you and your intentions
    - your tool is BUGGY, and you have no rights to discuss "skills" and "techniques" implemented in discussed trojan. Once you will learn your tool not BSOD everytime on Vista, not hangs completelly on start, not flickering in the work, and when your tool will be able to do something with "rootkits" (which you deride) then, please discuss whatever you want. At the current time your statements - pathetic and ridiculous.
    - and please follow MP_ART advice - finally get your gowno programme into debugger.
     
  8. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Question : "Not even when I replace my system partition with a new one ?"
    Answer : "I bet no, if it acts on hardware level, then forget it."

    That's the one I fear the most : hardware viruses.

    Does one motherboard-virus infect all motherboards or just one specific motherboard ?
     
  9. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I guess nearly everyone fear most hardware infections, but actually there are too less proven cases and still too less informations and poc´s. That´s the big problem. I guess most dangerous stuff comes actually from china, these freaks take it serious with acpi rootkits & co as I showed in older threads. But I assume this stuff is not really wide spreaded, very very low dense probably. Except a software protection tool on low level basis called DeepFreeze, they reached a wide range with a older version that was able to ruin your floppy bootblock in cmos. (in case you manually uninstalled it)

    Software based this rustock story seems to be most interesting. I really would like to see Russian stock C in action or in depth analysis.
     
  10. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    That is indeed the problem. I've read several horror stories, but never with a decent explanation, practical info, possible protection and proof. They are just written to scare people and they usually get alot of attention in forums.
    ~snip~
     
    Last edited by a moderator: May 10, 2007
  11. EASTER.2010

    EASTER.2010 Guest

    As every efficient and respected developer knows, you EARN a following (not just attention) by proven results all across the board and not just isolated instances. So far all i seen (for many months) in gmer program is only an attempt to draw a audience and nothing more. Perhaps one such programming apprentice might could heed some pointers originating from the balcony of an already proven Leader. If it is a team you lack, theres no shame in that so long as you also consider the audience of those who would join in lending you a hand in progressing beyond these present limitations.

    Good Day: EASTER
     
  12. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    I no longer see the point in keeping this thread open. Even after several warnings to get back on topic, the personal insults and off-topic comments continue. There's just been too many TOS violations. Thread closed.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.