Rustock C no longer a myth, no longer a threat

Indeed. They do not have a "kitchen sink" approach to security as do some others.

 

Rustock.C aka Ntldrbot - Small Advisory

 

Mh, then someone has decided to publish most part of technical infos. Don't know if this will be more helpful to everyone than just to rootkit writers at the end.

Anyway, yes, as someone has already said, nothing is undetectable. Those 13 bytes-length inline hook technique is indeed interesting. The infection on system drivers is easily detected, even if it's tried to be hidden by the rootkit.

 

I still don't understand something regarding RustockC.
How do you get infected ? RustockC has to start with something. Is that called the "dropper" ?
How does that dropper look like ? I don't need a full explanation about RustockC, I only need to know how it begins.

 

AFAIK rootkits have all but run their gambit. Oh sure, a few others will no doubt rise from the ashes of their brief attention they managed to stir up, but whether it's Rustock c, d, or whatever, i believe they've almost exhausted their alternatives and so it's back to viruses for them again without a doubt.

 

Kaspersky released detection a few days ago...

 

Not really an answer to my question, I guess you don't know it either just like me.

 

Ya, don't feel like the Lone Ranger. I have been using computers since 1969, and I don't have a clue about how you get infected.

 

The funny part of this is, that after 230+ posts, we still don't have the answer to that SIMPLE question. Maybe they don't want to tell us, otherwise the scaring part is over.
I had the same experience with Killdisk, Robodog, Robotdog, ... which destroyed my ISR-software. First they scared me to death, later on I found out that these destructive threats were nothing but executables.
My AE kills these threats immediately without questions, problem solved and FUD gone.

 

Dropper is probably an executable.... i.e. the thing that actually deposits the files on your drive and allows the infection to take hold.

The dropper is only available in closed malware communities at the moment, but apparently it avoids being detected on execution (by HIPS etc) due to the non standard way that it infects your system.

I have spoken to different malware researchers and analysts from different companies and the general consensus is "what can be built can be broken".... it might be harder to unravel this threat, but it can and will be done by each of the vendors with a bit of elbow grease and hard work


It isn't FUD, because this rootkit does up to the hype, but it is not impossible to detect and treat.


Then we move onto the next "big thing"


Hat of to the DWeb analysts for being the first ones to do so, some excellent reverse engineering


edit: fixed typo

 

Acc to EP what I understand is that the dropper will bypass HIPS like SSM, DW, etc.

One of the users tried two droppers that he had and the driver loading by them was stopped by HIPS like CFP, GW, KAV PDM etc. So probably no special driver loading by those two droppers.

But there are hundereds of variants I read, so guess is that some droppers might be bypassing many HIPS/ Sandboxes etc etec.

 

Baz_kasp and aigle,
Thanks for taking the time and give me at least some answers.
It's certainly not my biggest worry. I will take care of Rustock.C in my own way.

 

Do you know the detection name?

 

virus.win32.rustock.a. it's used for both standalone files and for the infected files.

 

analysis by kaspersky
http://translate.google.com/transla...sis?pubid=204007614&hl=en&ie=UTF8&sl=ru&tl=en

 

ThreatExpert Blog: Rustock.C – Unpacking a Nested Doll

 

Thanks for the link IBK.

I knew it

 

Well the Kaspersky article certainly tied up a lot of lose ends reguarding this bot

Here is ntldrbot merged to its own Agent downloader( d5266c58.sys )well i guess it's a boot loading driver so fufills the prerequirement for merging with ntldrbot
*there is a 56kb discrepancy between raw read of driver by RKU(81kb) and API read by explorer(25kb)


Using RKU to dump the driver unloads an 80kb file which i uploaded to MIRT malware listserve for distribution yesterday because this code is very poorly flagged
http://www.castlecops.com/t223241-MD5_755172db16fc958bd310c07c1cc2656f_ntldrbot_related.html

I tested both GMER and IceSword,both can see the Agent but both are bypassed by ntldrbot and attempted file copy of the agent driver resulted in only 25kb driver being copied

Once it has landed detection and subsequent removal is a whole new ball game and would require the coding of new module for the defenders to effect a killshot.Dr Web and Kaspersky are at the ball game and i would expect to see PrevX CSI joining that list in the none too distant future



On the brighter side the fact it is imported by a trojan downloader.Agent that is widely known now(29/32 @ VT upload) and is easily defended at the front gates because it is executable.
The Agent drops a driver that is not hidden in <system>and also a load entry that is not concealed.

Once the Agent is loaded it then attempts to communicate outbound inorder to facilitate potential import of ntldrbot so this baby is not discreet by any stretch of the imagination


So all though it is new method of hiding being used by Rustock C,it is easily defended against

 

Just head's up to interested party's ITW Rustock swapping mailing operations
http://blog.threatexpert.com/2008/06/new-rustock-switches-to-hotmail.html

 

Fcukdat,

Nice to see you using the old Kerio. What would you put in a rule as an application to cover "system" and prevent this from phoning home? I have any windows apps required by Kerio, limited to the LAN, except for svchost tcp out to port 80 and 443 for windows update. Perhaps that is a hole?

It wouldn't hurt to put in another rule to help detect this type of attack if some similar malware does get by everything else, but I'm not sure what "system" is.

This sure reinforces how careful you have to be when getting an alert saying such n such is trying to go to the internet.......so easy to just say ya ok!

 

Hi fcukdat! nice work. So many thanks for that. I was really waiting a post from u in this thread.

 

Sorry, I am not english.

PrevX CSI? I understand Dr.Web, Kaspersky...but PrevX? I wouldn't expect anything from them about Rustock.C. It needs really skilled people.

 

Welcome back comrade it is not only Russia that produces some of the finest software engineers ....there are others too!

But for example when Gromozon first reared its ugly head we did'nt see DW and KAV handle too well although that bot was more widespread in the wild for longer

But as we know is cat and mouse for the attackers and defenders so the war goes on

All the best!

 

Good analyse fcukdat.
It seems Avira was the final winner here.

 

So apart from DrW and Kaspersky, do any of the other vendors detect and cure an active infection, based on your own research? (directed to FD)