Rustock Trojan A Model For Future Threats

Discussion in 'malware problems & news' started by ronjor, Dec 14, 2006.

Thread Status:
Not open for further replies.
  1. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Look what the cat dragged in ;)

    *****AntiSpyware Scan Log
    Generated 01/15/2007 at 07:20 PM

    Application Version : 3.5.1016

    Core Rules Database Version : 3165
    Trace Rules Database Version: 1176

    Trojan.Downloader-CounterMeasures
    HKLM\System\ControlSet001\Services\ICF
    C:\WINDOWS\SYSTEM32\SVCHOST.EXE:EXE.EXE
    HKLM\System\ControlSet002\Services\ICF
    HKLM\System\ControlSet003\Services\ICF
    HKLM\System\ControlSet004\Services\ICF
    HKLM\System\CurrentControlSet\Services\ICF

    CWS malware quite possibly,i have seen 023 in HJT log after cws/vx infection with ICF intenet counter-measures Framework listed.
    http://www.castlecops.com/o23list-2323.html
    Next time it comes down the pipes i will send you a copy of associated files:)
     
    Last edited: Jan 15, 2007
  2. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Now i'm truely stoked as a software fanboy:D

    In the past 12 hours SUPERAntiSpyware free has sucessfully detected and removed 6 unique loaded lzx32.sys(Rustock B's)on my machine.

    I believe that SAS free has just joined the very exclusive club of Rustock killers alongside the other specialized ARK tools+PrevX Gromz tool.

    Can some of you guys verify this on your machines.TIA :)
     
  3. ejvindh

    ejvindh Registered Member

    Joined:
    May 18, 2005
    Posts:
    3
    I've experienced the same. SAS was, however, also able to do this at some point in Fall 2006. The problem is just that rustock.b changes all the time. And SAS' detection of Rustock.b has therefore not been stable.
     
  4. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Thanks ejvindh

    Last night was the first time it took out a Rustock c/o CWS infection on my PC.
    I know the *Vendor* had said that the software could nuke Rustock but i had never seen it happen til then.
    Just to double check i then ran another 5 uniques trojan dropper/drivers and each time SAS kicked loaded Rustock out:thumb:

    FWIW these uniques were gathered c/o CWS infections previously over the last 3-4 months where SAS has been used to clean the infections but failed to detect Rustock at the time.
    Either Nick has had a purge on drivers or he has made a *special* rule for Rustock....I'm just trying to work out which:)

    Thanks again for feedback
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    126,037
    Location:
    Texas
  6. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Hi

    Looks like "perfectly coded rootkit" dropped sophisticated SYSENTER hooking and came back to "old-school" SSDT hooks.

    Code:
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwCreateKey
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwDeviceIoControlFile
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwEnumerateKey
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwOpenKey
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwQueryKey
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwQuerySystemInformation
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwSaveKey
    SSDT     \??\D:\WINDOWS\system32:lzx32.sys        ZwTerminateProcess
    
    Code     \??\D:\WINDOWS\system32:lzx32.sys        pIofCallDriver
    What a shame ! ;)

    Gmer
     
  7. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Gmer, are you seriously think that it is new version?

    what a shame on you LOL
     
  8. MP_ART

    MP_ART Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    25
    Location:
    Krsk
    @gmer
    lol "old school" o_O o_O What about old bugs in your old school "antirootkit" :D :)
     
  9. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    Have you ever seen a "new" version or Mr PE386 mock at "us" :)
     
  10. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all:

    Discuss technical content, not members, or the discussion will be closed. If that's not clear enough, PM me for any additional clarification required.

    Blue
     
  11. EASTER.2010

    EASTER.2010 Guest

    Can latest version of Gmer fully remove it? :shifty:

    Uh, in other words is there a updated version of gmer the public might soon expect? :isay:

    A simple yes or no answer will suffice.
     
  12. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    Rustock.C? Of course - no. It can't even detect it.

    Not surprise for me, because
    1. It is one of the easiest bypassing rkdetectors available today
    2. GMER (as well as all mainstream firewalls) obviously was in a technical project of this rootkit :)

    Nothing, no file, no keys, no hooks, no driver, no network activity. To detect it, or more - to remove it, it is needed much more sophisticated level, e.g. direct work with hardware.
     
  13. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    Not even when I replace my system partition with a new one ?
     
  14. EASTER.2010

    EASTER.2010 Guest

    @gmer

    Continued issues experienced on my units from your ARK detector lead me to probe you for some information. Again i must ask, do you or will you be releasing a newer version of gmer? Also it defies explaination 4 me why some users seem to find it works for them, others do not. Also, please take into consideration not just some semblance of criticism per say mentioned about your program exhibiting bugs, but rather why then do you think would the developers of RKUnhooker consistently and also firstly refer to their low opinion of it?

    At this point in time & after so many open forum exchanges over the course of all these months, would you not seriously regard what's been complained about often enough to finally offer some form of change in the gmer program to address against negative results experienced with it which in turn would also calm the notion that your program is considered buggy?

    Curious minds would like to know.

    Regards EASTER
     
  15. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    If you have backups on other media then nothing to worry about.

    He doesn't like this word - bug. Actually it bring him in the panic-like state, :eek:
     
  16. ErikAlbert

    ErikAlbert Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    9,455
    OK. I have those. Thanks !!!
     
  17. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @EASTER.2010

    Sorry about your problems but we already discussed your huge configuration which is the probably reason of the conflict. Just use your favorite detector and you will be safe ;) and one more thing - using VM to play with malware is not recommended - I hope you guys knew it ?

    @Rustock author
    Smart, but please note that 11 threads are much to small !
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hey EP/Gmer et all.

    Going away from ARK tools but focusing on Rustock C how about some data/info known about this next generation RK?
    There is no technical data available yeto_O

    I have read stuff in closed communication(s) with experts but as yet have seen no publically published data on it.So any of you guys want to show us your *kong fu* o_O

    This is not about what ARK does what but what Rustock C is about,its operations and methods/deployment etc

    My standpoint is that PE386 claims it is in the wild and bypass's all current ARK tools....fine but is he telling the truth or just having some fun?

    I am still hunting after this RK,monitoring my sources where PE386's stuff is pushed and the only *new thing* coming out of thoes sources was winlogon/ndis patching stuff that appeared mid/late Jan07.

    At the time when i first recovered that infection i believed that C had been bagged.Firewall bypassing and undetectable by all current ARK's since no components were being hidden by traditional methods but patching of system files and drivers.Made sense at the time but like i said closed communications have dispelled that idea:oops: although a new very entrenched infection had surfaced:'(

    So what of it,who is going to be the first to blow the whistle on this alledged badboyo_O
     
  19. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    @fcukdat

    take a look at :

    i386.sys(2005) -> sysbus32.sys(2005/2006) -> msguard.sys(2006) -> lzx32.sys(2006/2007)

    and you will see the evolution of this "guy" and his "skills" ;)
     
  20. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Thanks gmer for the historic timeline of his creations,always interesting to join the dots on the author:thumb:

    But for now Rustock C= o_O
     
  21. gmer

    gmer Developer

    Joined:
    May 8, 2006
    Posts:
    86
    It's just an advertising - the basic economic rule ;)
     
  22. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    o_O
    So its not in the wild yet ?
     
  23. EP_X0FF

    EP_X0FF Registered Member

    Joined:
    Nov 8, 2006
    Posts:
    233
    gmer, want to tell you, how to bypass ARK's, AV's, FW?

    1. inline at disk driver (that gives abilities to control any data operation, including registry reading and file system reading)

    2. drX registers controlling

    3. patch protection based on filtering, remember disk driver, you will not be able to decide was something hooked or not.

    4. direct network card transactions (without touching network drivers), that's hard but possible.

    5. polymorphic body for each infected machine, based for example on hardware id. That's automatically will bypass all antiviruses with their pathetic signatures love.

    6. antidebug and antivm

    Gmer, your tool will not be able detect even 10% of technologies implemented in rustock.c as well as in unreal.b - e. Are you really think that your program can detect something unpublic? =))) WoW, nice try.

    As for current implementation of GMER v1.0.12 latest build... if talking seriously, not usually as you want to talk with me, then your tool:
    - is not antirootkit
    - absolutelly UNSTABLE
    - it is freaking BUGGY and SLOW
    - can't detect unusual inline hooks / hooks based on tables
    - absolutelly can't detect hidden drivers
    - has weak registry/files scan abilities. Your last statements about Unreal.A "remembering of root directory scan" - laughable. How you can remember what you don't knows?

    Actually it was

    i386.sys (end of 2005)
    sysbus32 (2006)
    pe386 (2006) rustock.a
    huy32 (2006) rustock.b (one of betas)
    lzx32 (2006) rustock.b
    rstk (2006) rustock.c
     
    Last edited by a moderator: May 7, 2007
  24. BlueZannetti

    BlueZannetti Registered Member

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    To all, and we do mean everyone....

    The thread's topic is about the Rustock Trojan. We don't mind if the discussion moves around the border of a topic, as long as it's stays relevant to the nominal topic.

    What we do not want to see, and will not tolerate, are personal insults and sarcastic comments towards any other member. That stops now. Period. If there are personal issues that need to be resolved, then sort it out privately. Do not use this board for that purpose.

    Regards,

    Blue, et al.
     
  25. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    l*o*l

    I really enjoy this thread :D :D :D :cool: :cool: :D :D :D :thumb: :thumb: :thumb:

    Something in that kind was in my thoughts. Polymorphic surely, working on super low level, hooking into disk driver (are you sure this technique exists only since 2006? or either already since 1999/2000?)

    Probably for keyhook.

    I thought about it´s capabilities concerning registry infiltration.
    Harddisk to registry or something like that, somewhere I read about things like, surviving reformats or harddisk excahnges, only signs can be found in registry, a.s.o.. just some thoughts. Don´t know how far this has become reality.

    I bet no, if it acts on hardware level, then forget it and get used to by living in the matrix, we all are part of the great game. :D :D :D

    Yes, it´s so nice to play cat and mouse game. :D :D :D
     
    Last edited: May 8, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.