Rustock Trojan A Model For Future Threats

Discussion in 'malware problems & news' started by ronjor, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,798
    Location:
    Texas
    Article
     
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    Nice article Ronjor.. and to think most people think us IT guys are just surfing:D
     
  3. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Good interesting article,disagree about Black light being advanced tool(there are better available if you try a few more out(GMER,RKU etc).

    I have a url that drops Rustock A via exploit into ADS on NTFS based OS.If any experts require info then drop me a PM :)

    Also the latest evo of Rootkit unhooker(RKU) will allow for the retrieval after uncovering of the malware file that is loaded into ADS.Very neat trick :D
     
  4. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Hello everyone.

    I think I can shred some light on Rustock.A/B and this article. Since we from the same country with PE386 I will be devil's advocate :)

    Wrong. It hooks SYSENTER instruction or 2e interrupt and making filtering of Zw registry related functions. Rustock.B (claimed as Rustock v1.2 inside binary) was really improved in this area. Now it's using splicing of SYSENTER hook. It allocates some memory in ntoskrnl and set's jump to it's driver. So It doesn't hooks API's. It hooks theirs handler. Files of this rootkit can be found via RAW disk reading, so nothing been patched here.

    List of antirootkit signatures inside Rustock.B (v1.2) - DarkSpy, GMER, Blacklight, RkDetector, RootkitRevealer. How does it detect them? Very simple -> rootkit doing scan of executables from kernel mode and search for specific signatures of each of them. For example for GMER it is "gmer" string inside. Firewalls and Rustock working on different levels. Firewalls already getting data that was filtered by rootkit. They are playing in different leagues. Also it contains some special block that removes third-party spam-malware from affected computer. So - it is some kind of antivirus =)

    It's simple have very many builds lol. Each time they begins crypted by PE386 personal cryptor and build becomes unknown for signatures scanners. True polymorphic code - Gromozon.

    What about Blacklight - I see no problems in it bypassing. Too many PR about it and too weak in real life.

    More to say. Next generation of Rustock will be improved in many times. Author keep updating it's technologies and algorithms, so I must to say - next release will be undetectable for any AV/Firewalls and antirootkit programs available today. Only external scan will help. I'm looking on this rootkit not like on malware - like on perfectly coded thing.
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Thanks EX_0FF for the insight

    :D
     
    Last edited by a moderator: Dec 15, 2006
  6. ourwilly

    ourwilly Registered Member

    Joined:
    Nov 7, 2004
    Posts:
    4
    Hello fcukdat

    Can you please provide that URL link for me via 'pm'

    Thank you.
     
  7. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    Yep Correct.
     
  8. Z0mBiE

    Z0mBiE Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    21
    Agree. The most advanced malware available today. Somebody already got Rustock.C ?
     
  9. SirMalware

    SirMalware Registered Member

    Joined:
    Jun 6, 2006
    Posts:
    133
    God I love my BartPE. :cool:
     
  10. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    SirMalware :
    Admin's best friend
     
  11. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Sounds bodyless.
     
  12. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    Add Linux CDs to that list.
    When I wrote about discovering rootkits easily using live CDs a long time ago, on the far end of commentary, I even received some ridicule.
    Mrk
     
  13. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I have some new science fiction for you Mrkvonic ;-)

    PCI ROM ROOTKIT, I am not sure if it is allowed to post the link, but look at x solve.

    Throw your linux cd into dustbin :-D

    Linux will show a bit more then Windows, you will see a unknown device, but you can do nothing against it with your linux cd. At the most watching the logs of unknown things at boot up.
     
  14. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,

    SystemJunkie, I realize you have LOTS of fun with what you do. Honestly, I understand your passion.

    If you place code outside operating system, like hardware periphers, bios, video card, sound card, network card etc, you will achieve that which you claim.

    BUT:

    These threats must be adapted to specific computer architecture, otherwise they won't work - which means a subtype for every hardware piece out there.
    These threats must be installed somehow, and doing that from within the operating system sounds a bit unlikely.
    Simple reflash of these devices will erase these threats.
    Proof of concept in lab is one thing; reality is another.

    I read what John Heasman and Joanna Rutkowska have to say. Very nice for making a PhD. But that's not the reality.

    There is no malware sample that does that and is out there. The task is too complex to achieve.

    Some quotes:

    "Both Intel SecureFlash and Phoenix TrustedCore motherboards prevent the system BIOS from being overwritten with unsigned updates."

    From the article and paper: "(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise."

    "Heasman, a researcher at Next-Generation Security Software, does not believe that such techniques will become commonplace."

    Mrk
     
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Worse than gromozon? Maybe... still, I doubt it... I read the last Virus Bulletin description of that one, and I still have nightmares. The worst thing is, this is not some proof-of-concept threat that was built by security experts to point out how far you can go, it was very real and very widespread (at least in Italy)... :(
     
  16. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Here is another link for PCI Rootkits.
    Rootkits on your souncard, network card... anything is possible.

    I saw other things, beside there are surely other manufacturers then only Intel and Phoenix and most mainboards nowadays have e.g. no BIOS protection!
     
  17. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,700
    Hello,
    Most mainstream nowadays comps do have BIOS protection.
    Mrk
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    BK, you've got it!!!

    BTW slaps forehead i just remembered i have archived Rustock A + B droppers if you want to bypass the infection urls and go streight to the installer/dropper file :)

    So if anyone wants Rustock dropper files,i need a contact email addy to send as zipped/passworded attachment.
     
  19. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    No. 80% not.
     
  20. Z0mBiE

    Z0mBiE Registered Member

    Joined:
    Dec 4, 2006
    Posts:
    21
    Gromozon - good malware for prevx sales. Rustock real spam-bot malware that working in kernel mode only. So it most extended.
     
  21. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    What the hell are you talking about? "Good malware for PrevX sales"? "So it most extended"? Give me a break. I've SEEN gromozon, I know what it does, I know how it works and I've seen HOW MANY people got infected. By the way, gromozon uses rootkit techniques as well.

    I have no idea what you're trying to say with crap like "good malware for PrevX sales"... are you saying that PrevX created gromozon to sell? Funny, that's exactly what the kind of bull***t the creators of gromozon were trying to fool people with... are you by any chance familiar with them?
     
  22. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Guys you are going to total offtopic ;) Gromozon and Rustock - are different rootkits.
     
  23. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    I know... I am not familiar with Rustock. Only, since it's been labeled as "the most advanced malware" I was asking if anybody who's seen both thinks this is more "advanced" than gromozon (which I've seen quite a bit). Now, don't get me wrong... Rustock might be "worse", so to speak. But really, I have to see it to believe, since gromozon is an absolute nightmare for how deeply it goes into the system.
     
  24. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Well, I saw both in real action. On my machine =)

    Gromozon - perfectly coded polymorphic engine. But it works only in user mode, hooks only user mode functions. Also it uses some undocumented features of file systems. It's actively blocking antirootkits program from start by searching specific words in captions and file version info blocks. That is too obvious for hidden thing. One thing what you need to remove it - simple start modern antirootkit program with low level disk access, ability to unhook hooked function. After this main morphed dll of gromozon can be wiped and rootkit is dying after reboot.

    Rustock - another perfectly coded rootkit that works only in kernel mode but actively interacts with user mode (thread inside services.exe). Instead of gromozon it is not hooking API, its hooking API global handler. So here it most advanced. It's not preventing antirootkits programs from start - its stays totally hidden when they starting. In the begining only our program was able to detect rootkit driver. It's uses advanced signatures scanning to search antirootkits, counteract with Kaspersky klif.sys, hides it's presence in ADS so here it is undisputable most advanced malware. Main problem of Gromozon was that it was really easy to detect, just start something "antirk" and if it's not started then you have Gromozon :) Rustock real rootkit that hides it presence and counteracts with antirk - not denies it's start.

    So, here I understand why peoples here (like Z0mBie for example) thinks that gromozon + prevx = love. What about my opinion about this - let's keep it in a secret ;)
     
  25. Inspector Clouseau

    Inspector Clouseau AV Expert

    Joined:
    Apr 2, 2006
    Posts:
    1,329
    Location:
    Maidenhead, UK
    It is not. It is maybe one of the "most advanced malware" RECENTLY but it is not THE most advanced malware.
     
Loading...
Thread Status:
Not open for further replies.