Rustock Trojan A Model For Future Threats

Look what the cat dragged in

*****AntiSpyware Scan Log
Generated 01/15/2007 at 07:20 PM

Application Version : 3.5.1016

Core Rules Database Version : 3165
Trace Rules Database Version: 1176

Trojan.Downloader-CounterMeasures
HKLM\System\ControlSet001\Services\ICF
C:\WINDOWS\SYSTEM32\SVCHOST.EXE:EXE.EXE
HKLM\System\ControlSet002\Services\ICF
HKLM\System\ControlSet003\Services\ICF
HKLM\System\ControlSet004\Services\ICF
HKLM\System\CurrentControlSet\Services\ICF

CWS malware quite possibly,i have seen 023 in HJT log after cws/vx infection with ICF intenet counter-measures Framework listed.
http://www.castlecops.com/o23list-2323.html
Next time it comes down the pipes i will send you a copy of associated files

 

Now i'm truely stoked as a software fanboy

In the past 12 hours SUPERAntiSpyware free has sucessfully detected and removed 6 unique loaded lzx32.sys(Rustock B's)on my machine.

I believe that SAS free has just joined the very exclusive club of Rustock killers alongside the other specialized ARK tools+PrevX Gromz tool.

Can some of you guys verify this on your machines.TIA

 

I've experienced the same. SAS was, however, also able to do this at some point in Fall 2006. The problem is just that rustock.b changes all the time. And SAS' detection of Rustock.b has therefore not been stable.

 

Thanks ejvindh

Last night was the first time it took out a Rustock c/o CWS infection on my PC.
I know the *Vendor* had said that the software could nuke Rustock but i had never seen it happen til then.
Just to double check i then ran another 5 uniques trojan dropper/drivers and each time SAS kicked loaded Rustock out

FWIW these uniques were gathered c/o CWS infections previously over the last 3-4 months where SAS has been used to clean the infections but failed to detect Rustock at the time.
Either Nick has had a purge on drivers or he has made a *special* rule for Rustock....I'm just trying to work out which

Thanks again for feedback

 

Hi

Looks like "perfectly coded rootkit" dropped sophisticated SYSENTER hooking and came back to "old-school" SSDT hooks.

Code:

SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwCreateKey
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwDeviceIoControlFile
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwEnumerateKey
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwOpenKey
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwQueryKey
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwQuerySystemInformation
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwSaveKey
SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwTerminateProcess

Code     \??\D:\WINDOWS\system32:lzx32.sys        pIofCallDriver

What a shame !

Gmer

 

Gmer, are you seriously think that it is new version?

what a shame on you LOL

 

@gmer
lol "old school" What about old bugs in your old school "antirootkit"

 

Have you ever seen a "new" version or Mr PE386 mock at "us"

 

To all:

Discuss technical content, not members, or the discussion will be closed. If that's not clear enough, PM me for any additional clarification required.

Blue

 

Can latest version of Gmer fully remove it?

Uh, in other words is there a updated version of gmer the public might soon expect?

A simple yes or no answer will suffice.

 

Rustock.C? Of course - no. It can't even detect it.

Not surprise for me, because
1. It is one of the easiest bypassing rkdetectors available today
2. GMER (as well as all mainstream firewalls) obviously was in a technical project of this rootkit

Nothing, no file, no keys, no hooks, no driver, no network activity. To detect it, or more - to remove it, it is needed much more sophisticated level, e.g. direct work with hardware.

 

Not even when I replace my system partition with a new one ?

 

@gmer

Continued issues experienced on my units from your ARK detector lead me to probe you for some information. Again i must ask, do you or will you be releasing a newer version of gmer? Also it defies explaination 4 me why some users seem to find it works for them, others do not. Also, please take into consideration not just some semblance of criticism per say mentioned about your program exhibiting bugs, but rather why then do you think would the developers of RKUnhooker consistently and also firstly refer to their low opinion of it?

At this point in time & after so many open forum exchanges over the course of all these months, would you not seriously regard what's been complained about often enough to finally offer some form of change in the gmer program to address against negative results experienced with it which in turn would also calm the notion that your program is considered buggy?

Curious minds would like to know.

Regards EASTER

 

If you have backups on other media then nothing to worry about.

He doesn't like this word - bug. Actually it bring him in the panic-like state,

 

OK. I have those. Thanks !!!

 

@EASTER.2010

Sorry about your problems but we already discussed your huge configuration which is the probably reason of the conflict. Just use your favorite detector and you will be safe and one more thing - using VM to play with malware is not recommended - I hope you guys knew it ?

@Rustock author
Smart, but please note that 11 threads are much to small !

 

Hey EP/Gmer et all.

Going away from ARK tools but focusing on Rustock C how about some data/info known about this next generation RK?
There is no technical data available yet

I have read stuff in closed communication(s) with experts but as yet have seen no publically published data on it.So any of you guys want to show us your *kong fu*

This is not about what ARK does what but what Rustock C is about,its operations and methods/deployment etc

My standpoint is that PE386 claims it is in the wild and bypass's all current ARK tools....fine but is he telling the truth or just having some fun?

I am still hunting after this RK,monitoring my sources where PE386's stuff is pushed and the only *new thing* coming out of thoes sources was winlogon/ndis patching stuff that appeared mid/late Jan07.

At the time when i first recovered that infection i believed that C had been bagged.Firewall bypassing and undetectable by all current ARK's since no components were being hidden by traditional methods but patching of system files and drivers.Made sense at the time but like i said closed communications have dispelled that idea although a new very entrenched infection had surfaced

So what of it,who is going to be the first to blow the whistle on this alledged badboy

 

@fcukdat

take a look at :

i386.sys(2005) -> sysbus32.sys(2005/2006) -> msguard.sys(2006) -> lzx32.sys(2006/2007)

and you will see the evolution of this "guy" and his "skills"

 

Thanks gmer for the historic timeline of his creations,always interesting to join the dots on the author

But for now Rustock C=

 

It's just an advertising - the basic economic rule

 

So its not in the wild yet ?

 

gmer, want to tell you, how to bypass ARK's, AV's, FW?

1. inline at disk driver (that gives abilities to control any data operation, including registry reading and file system reading)

2. drX registers controlling

3. patch protection based on filtering, remember disk driver, you will not be able to decide was something hooked or not.

4. direct network card transactions (without touching network drivers), that's hard but possible.

5. polymorphic body for each infected machine, based for example on hardware id. That's automatically will bypass all antiviruses with their pathetic signatures love.

6. antidebug and antivm

Gmer, your tool will not be able detect even 10% of technologies implemented in rustock.c as well as in unreal.b - e. Are you really think that your program can detect something unpublic? =))) WoW, nice try.

As for current implementation of GMER v1.0.12 latest build... if talking seriously, not usually as you want to talk with me, then your tool:
- is not antirootkit
- absolutelly UNSTABLE
- it is freaking BUGGY and SLOW
- can't detect unusual inline hooks / hooks based on tables
- absolutelly can't detect hidden drivers
- has weak registry/files scan abilities. Your last statements about Unreal.A "remembering of root directory scan" - laughable. How you can remember what you don't knows?

Actually it was

i386.sys (end of 2005)
sysbus32 (2006)
pe386 (2006) rustock.a
huy32 (2006) rustock.b (one of betas)
lzx32 (2006) rustock.b
rstk (2006) rustock.c

 

To all, and we do mean everyone....

The thread's topic is about the Rustock Trojan. We don't mind if the discussion moves around the border of a topic, as long as it's stays relevant to the nominal topic.

What we do not want to see, and will not tolerate, are personal insults and sarcastic comments towards any other member. That stops now. Period. If there are personal issues that need to be resolved, then sort it out privately. Do not use this board for that purpose.

Regards,

Blue, et al.

 

l*o*l

I really enjoy this thread

Something in that kind was in my thoughts. Polymorphic surely, working on super low level, hooking into disk driver (are you sure this technique exists only since 2006? or either already since 1999/2000?)

Probably for keyhook.

I thought about it´s capabilities concerning registry infiltration.
Harddisk to registry or something like that, somewhere I read about things like, surviving reformats or harddisk excahnges, only signs can be found in registry, a.s.o.. just some thoughts. Don´t know how far this has become reality.

I bet no, if it acts on hardware level, then forget it and get used to by living in the matrix, we all are part of the great game.

Yes, it´s so nice to play cat and mouse game.