Rustock.a rustock.b…. pour les initiés en sécurité et autre malwares il s’agit la des petits nom de logiciels connus comme les rootkits les plus puissant et les plus dangereux. La famille Rustock (écrite en Russie) transforme votre PC en robot spammeur, ainsi sans le savoir vous devenez "responsable" de l’envoi de centaines de mails (médicaments, viagra, pornographie etc…)
A & B etaient initialement compliqués à detecter et enlever mais les editeurs antivirus / antirootkit les ont "rapidement" detectés et aujourdh’ui de nombreux outils s’en chargent correctement.
En fait depuis fin 2006 / debut 2007 il existe une version Rustock.C jammais confirmé car inconnus des editeurs de logiciels antivirus qui ne reussissent pas à mettre la main sur un echatillon du rootkit. Rustock.c reste un mythe / une rumeur sur les forums de hacker et qui n’a été officiellement detectée / analysée et reconnue qu’a partir de l’annonce du 6 Mai 2008 par l’editeur DrWeb avec
- une info sur http://info.drweb.com/show/3342/en
- et un avis publie sur http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf
En fait, selon HolaHola l’existence de "Rustock.C" à été accidentellement decouverte courant 2007 – Decompilé et analysé en Octoble 2007 par SEYE. Il fait l’objet d’une premiere publication par USForce sur le forum Sysinternals (racheté par Microsoft) en Novembre 2007.
Mais jusqu’en Avril / Mai 2008, jusqu’à la publication de DrWeb Rustock.C ne fait pas l’objet de recherche plus appronfondies de la part des editeurs. Depuis quasiment tous ont ajoutés un outil de detection de Rustock.C
Rustock.C aura donc vecu entre 1 et 1.5 an en totale discretion : un record dans le monde de la lutte anti malware !
Depuis il est "probable" que de nouvelles variantes existent et que nous ne savons pas encore detecter 🙁
Vous pouvez tester l’outil de detection & desinfection CureIt de DrWeb à telecharger sur http://freedrweb.com/
pour en savoir plus
le 6/5/2008 http://www.wilderssecurity.com/showthread.php?t=208386
le 22/5/2008 HolaHola publie sur http://forum.sysinternals.com/forum_posts.asp?TID=14844 une descritption technique du rootkit avec son mode d’action :
le texte ci dessous est une copie du texte original publié sur le forum de sysinternals. il est preferable de vous reporter au lien ci dessus.
********************************************************************************************
Prologue
Rootkit created: approximately the fall of the 2006, beginning of the 2007.
First time it is revealed: accidentally in the fall of the June 2007.
Unpacked and analyzed: October 2007 by SEYE Emulator.
First time unofficially published information: November 2007 by USForce (SysInternals Forums).
Officially revealed and demystified: DrWeb Antivirus Lab. April-May 2008.
Active Undetectable Lifetime: Approximately 1.5 years (It is an absolute record for Windows-oriented malware).
TTL: Approximately 1 year (passed)
Rootkit origin: Russian Federation
Rootkit Ancestor: Rustock.B (revealed – June 2006)
Rootkit Successor: Rustock.D (probably still unrevealed if exists)
Rootkit Series Author(s): ???Unknown??? origin Russian Federation.
The Power of Rustock.C
Rustock.C is the most powerful rootkit, ever been found under Windows up to the current time. Its key features which make it so powerful and so undetectable are:
1. Most advanced polymorphic protector ever seen in the malware area up to current date
2. Stealth by design implementation
3. Anti AntiRootkits part
4. Extremely effective firewall bypassing
5. Extremely effective support management
Polymorphic protector
Specially created mechanisms and methods which do the following:
1. Deadly effective against kernel mode debugging and tracing
2. Deadly effective against signatures based detection methods and modern heuristics
3. Dramatically slow downs reverse-engineering process (even for qualified specialists)
Rustock.C polymorphic protector part represents a combination of most of the known antidebugging tricks and tips implemented in the kernel mode based engine. Never seen before.
The protector itself contains several layers with the different degrees of the code morphing. Protector controls DR registers and counteracts debugging with such tools as Syser or SoftIce. Rustock.C makes completely impossible using of the WinDBG.
It is very hard to unpack, but not impossible. Everything what can be executed – can be cracked.
Stealth by Design Implementation
You maybe wondering who this staff working? When everything becomes under control and there are not so many ways to get into the kernel mode. Do you still wondering? The time of the pure trojans has left. New generation of the trojans not only successfully works in the kernel mode but also become a part of the operation system itself. Let’s left behind rumors and idiocy such as Blue Pill and concentrate all our attention on the two questions.
How? And Where?
You maybe wondering but you can watch over this rootkit running on your system each day for the months (and even Years!) and never think that this is the piece of malware.
So How?
Rustock.C is the first full functional kernel mode virus. Its targets – innocent Microsoft Windows system drivers located in the X:\WINDOWS\SYSTEM32\DRIVERS directory, where X – your system disk and it is no matter signed them or not – this wouldn’t help enough.
Your prevention system can’t stop rootkit from loading, by the two reasons: it is loading before HIPS and it is trusted Microsoft system driver.
C:\WINDOWS\SYSTEM32\DRIVERS\IMAPI.SYS –> Size mismatch between Windows API and raw data –> 41856 bytes / 329080 bytes
The rootkit is working on the lowest levels of the system. Virus part of the rootkit locates victim by the following criteria: victim should be Microsoft compiled driver and it must have Boot or System start flags in the Registry. Then it “owns” victim by combining original innocent driver with the rootkit body. The difference in the size between original and infected drivers hides with help of the few smart inline (splice) hooks in the another system drivers responding for the file system support and operation. Such drivers as ntfs.sys for NTFS and fastfat.sys for the FAT32.
For example on the FAT32 systems rootkit sets the following hooks:
fastfat.sys –> [IRP_MJ_CLOSE]
fastfat.sys –> [IRP_MJ_CREATE]
fastfat.sys –> [IRP_MJ_DIRECTORY_CONTROL]
fastfat.sys –> [IRP_MJ_QUERY_INFORMATION]
fastfat.sys –> [IRP_MJ_READ]
fastfat.sys –> [IRP_MJ_SET_INFORMATION]
fastfat.sys –> [IRP_MJ_WRITE]
fastfat.sys –> [Base + 0x00008405]
As you see Rustock.C hooks several IRP handlers which are responsible for the common FS operations. Here also protection from overwriting and reading infected data. On the NTFS volume the hooks will be same but in the ntfs.sys
Remarkable!
ntfs.sys or fastfat.sys also could be a victims of the rootkit.
Rustock.C have a special mechanism – its walking through system drivers. Disinfecting previous victim and infecting new one. So if you even locate this infected driver, infection can migrate to another file and you will miss the target.
AntiRootkits can’t see these rootkit because: They don’t know for what (and how) they should look for.
And also because all of them, except three-four products are totally lame and unacceptable solution for defeating – revealing rootkits (even old).
On the FAT32 volumes these technique is so effective – the most advanced public antirootkit available today – GMER v1.14+ doesn’t see anything. Absolutely zero. There are exists only 4 antirootkits in the full meaning of this word – GMER/RKU/ICESWORD/RKTRAP. Everything else is just a trash.
The source of hooks looks like this. It is remarkable solution, because public antirootkit available today doesn’t powerful enough to detect such code modification and trace them successfully.
push cs nop sub esp, 4 mov dword ptr [esp], 81122FFEh retf |
13 byte length inline hook
Again it is Remarkable.
This rootkit doesn’t have any processes, files or registry entries. It’s becoming a part of the operation system, which is impossible to simple remove by delete without killing Windows.
It’s exists as a scope of threads working somewhere in the allocated memory in the kernel mode. And you can’t even trace them by Start Address because this is the bad idea from the beginning, simple because it is very easy to bypass by determination. Here is the small example
0x820D5A4C PAGE WITH EXECUTABLE CODE
0x820BC7FA PAGE WITH EXECUTABLE CODE
0x820AD7F6 PAGE WITH EXECUTABLE CODE
0x820A5F29 PAGE WITH EXECUTABLE CODE
0x820D3740 PAGE WITH EXECUTABLE CODE
0x820AF662 PAGE WITH EXECUTABLE CODE
0x8209E5C7 PAGE WITH EXECUTABLE CODE
0x820D54F4 PAGE WITH EXECUTABLE CODE
0x820CB2BC PAGE WITH EXECUTABLE CODE
0x820BF280 PAGE WITH EXECUTABLE CODE
0x8214B1B0 PAGE WITH EXECUTABLE CODE
For bypassing firewalls this rootkit uses several inline hooks in the network drivers.
tcpip.sys –> [IRP_MJ_CREATE]
tcpip.sys –> [IRP_MJ_INTERNAL_DEVICE_CONTROL]
tcpip.sys –> [Base + 0x00003CFA]
wanarp.sys –> [Base + 0x000053FD]
There is nothing really new here. More to say, looks like network part of this rootkit wasn’t heavy changed since version B.
This rootkit will successfully work on the following Windows.
x86 Windows 2000 (SP1, SP2, SP3, SP4)
x86 Windows XP (SP1, SP2, SP3)
x86 Windows 2003 (SP1, SP2)
x86 Windows Vista
But that is not all!
Even more – some staff just waiting yours attention.
As you probably know previous versions of these rootkit suffers from pure love to SYSENTER, IDT hooking. The first A version of Rustock simple hooks SYSENTER by replacing original handler address with it own. The second B version of Rustock extends these by building a little gate inside loaded ntoskrnl.exe to the actual handler located inside malicious code.
The third C variant brings more fun here.
Rustock.C instead of previous variants hooks directly SSDT dispatcher unexported function called _KiSystemService (this is actual internal Microsoft name of it).
Hooking this function grants rootkit exclusive ability to filter EVERY system call passed from user mode, even calls of the Graphics, Messages subsystems.
And it filters!
Example:
kernel32.dll:TerminateProcess –> ntdll.dll:NtTerminateProcess–>sysenter or INT2E–>Kernel Mode –>_KiSystemService–>Actual Kernel Service.
Here the hook
ntkrnlpa.exe –> [Base + 0x000695F0]
The following functions are under control of Rustock.C
NtCreateThread
NtCreateThreadEx
NtDelayExecution
NtDuplicateObject
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtResumeThread
NtTerminateProcess
NtTerminateThread
NtWriteVirtualMemory
Okay, let’s explore some of them. What is the purpose of these hooks? What they hide? Or what they protect?
Basically Rustock.C contains two parts – kernel mode backdoor and user mode spam sending library. Rootkit injects this library into winlogon.exe process. It is very comfortable, because this process always trusted for firewalls and this can’t be changed due to operation system specific.
You maybe wondering again, spam library inside winlogon.exe should be very easy to detect isn’t it? Of course. But do you really think, author of Rustock doesn’t know about this? So he made a special protection layer for this library. It is mapped in winlogon.exe memory and doesn’t exist in PEB LDR lists. Memory range occupied by this library protected with help of NtReadVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory hooks, so it can be dumped with usual tools, including most AntiRootkits. Library contains threads executing in user mode. They are hidden from Windows API with help of NtQuerySystemInformation, NtOpenThread, NtTerminateThread hooks. It is first time when rootkit hides user mode threads from being detected. Amusing – so many hooks and all this working?! Yes – and extremely stable we must admit. Even in MPC environment this rootkit works more stable than most of the HIPS oriented Antiviruses.
That’s not all. Surprise – surprise!
Almost decrypted driver rootkit body mirrored in the winlogon.exe memory, it is also protected from reading, writing requests. But if you will successfully dump these memory regions (from driver e.g.) you can watch a lot of very interesting strings such as:
RUSTOCK TCPIP_WANARP Microsoft CorpMicrosoft Microsoft(R) Windows (R) ks.sys videoprt.sys wmilib.sys hal.dll ntoskrnl.exe services.exe \BaseNamedObjects\%0.8X-%0.4X-%0.4X-%0.4X-%0.8X%0.4X TransportAddress ConnectionContext winlogon.exe |
Hence here is the famous pdb string Z:\NewProjects\spambot\rustock.c\driver\asm_\driver.pdb
And even more strings to you from botdll.dll (this is actual name!)
208.66.194.215 gmail.com hotmail.com yahoo.com aol.com z:\NewProjects\spambot\rustock.c\release\botdll.pdb |
Tremendous. And here we come to the last part of our little journey. Look on IP address. It is valid and ping-able. It is time to tell you, who author of this rootkit and for what he stand and which force he represents.
Detection, curing and prevention
Without special tools it would be very difficult to detect and cure infected machine. Your Antiviruses, AntiSpywares can’t help you. Even your HIPS will be unable to help, because this rootkit successfully bypassed it while self installation period.
Detection
Monitor changes of the sizes of the executable files in windows directory. More than 10Kb – you are the part of botnet.
Cure
We recommend everybody backup system drive and create bootable compact disk, all what you need – replace all files in the WINDOWS\SYSTEM32\DRIVERS directory with backups. Or use DrWeb, since this is the only one AV which can cure and detect infection while rootkit is alive. Everybody else lying you – they can and see NOTHING.
Prevention
Restricted user account of the Windows Vista x64 with SP1 installed. Or Windows Vista x32 SP1, because this rootkit will not run on it.
Back To The Roots!
Time to show you some truth.
Lets trace IP given by rootkit itself.
208.66.194.215
IP address: 208.66.194.215 No host name is associated with this IP address or no reverse lookup is configured. Error:Host not found 208.66.194.215 is from United States(US) in region North America TraceRoute to 208.66.194.215 Trace complete Network IP address lookup: whois query for 208.66.194.215… Results returned from whois.arin.net: McColo Corporation MCCOLO (NET-208-66-192-0-1) Results returned from whois.arin.net: OrgName: Western Services NetRange: 208.66.194.184 – 208.66.194.225 RTechHandle: RPO46-ARIN OrgTechHandle: RPO46-ARIN |
So, it is valid IP address of the deducated server of the http://www.mccolo.com
Wondering why this rootkit named NTLDRBOT?
Here is the answer.
Author (or some of the authors) of this rootkit known as ntldr, his profile can be found here http://freed0m.org and here http://cracklab.ru
Lets trace both places. Wondering? That’s not all!
IP address: 208.72.168.146 Host name: cracklab.ru 208.72.168.146 is from United States(US) in region North America TraceRoute to 208.72.168.146 [cracklab.ru]Hop (ms) (ms) (ms) Trace aborted. whois query for cracklab.ru… Results returned from whois.ripn.net: % By submitting a query to RIPN’s Whois Service domain: CRACKLAB.RU Retrieving DNS records for cracklab.ru… DNS servers Answer records Authority records Additional records Network IP address lookup: whois query for 208.72.168.146… Results returned from whois.arin.net: OrgName: McColo Corporation NetRange: 208.72.168.0 – 208.72.175.255 OrgTechHandle: MCCOL1-ARIN |
And now lets trace freed0m.org – the homepage of Rustock.C authors.
Surprise!
IP address: 208.72.168.146 Host name: freed0m.org 208.72.168.146 is from United States(US) in region North America TraceRoute to 208.72.168.146 [freed0m.org]Hop (ms) (ms) (ms) Trace aborted. whois query for freed0m.org… Results returned from whois.publicinterestregistry.net: Domain ID:D141757914-LROR Retrieving DNS records for freed0m.org… DNS servers Answer records Authority records Additional records Network IP address lookup: whois query for 208.72.168.146… Results returned from whois.arin.net: OrgName: McColo Corporation NetRange: 208.72.168.0 – 208.72.175.255 OrgTechHandle: MCCOL1-ARIN |
Almost the same information. We can conclude that this two sites are related to each other.
Looking on Rustock.C and cracklab.ru orientation we are not anymore wondering.
They are the same. Looks like botnet owned by Rustock series directly related to
russian crackers underground. Dedicated servers in the USA, where Russian
Federal Security Service can’t get access.
The most pity in all of this – botnet masters even do not hide them self. And it is impossible to do something with them.
Chronicles of the Zeroday 6 – 8 May 2008
The First Day
“It is not exists!”
Yeah, it was a first official reaction of the Antivirus employees from almost all antivirus companies.
“Well we prevent it!”
Official reaction of the companies making Firewalls and HIPS. Besides – No they can’t.
“Hmmm, DrWEB dirty PR move?”
Official reaction of both when they realized that they can’t find it without third-party help.
“Z-z-z-z-z-z-z-z”
Official reaction of hax0rs everywhere. These “true” hackers were unable to believe in such thing, well maybe because they were so lame all these time?
The Day Two
“It is exists, but not widely spread… well we will add it to the bases…”
Official reaction of the Antivirus companies. Adding to virus bases doesn’t mean the detecting and curing of this beastie. And we must tell you (it’s a secret besides) – all they except DrWeb can’t detect and cure infection while this rootkit is active.
“What a hell! Give a dropper!!”
Official hysterics from HIPS developers and kids like Ilya Rabinovich.
“Lets disassemble it! Where is my Olly?”
Official reaction from hax0rs.
The Day Three
“Okay, added! Is the dropper available?”
The official reaction from Antivirus companies.
“Give a dropper!! Give a dropper! Give me something!!!!!”
The continuing hysterics of the HIPS developers.
“It is impossible to run and analyze… huh somebody help? Z0mbie where are you? ”
Official reaction from hax0rs.
The End
We would like to thank the people in Microsoft Corporation who have given to us the remarkable tool, capable to find out all parts of this rootkit and successfully resist to it. Without this tool it would be much more difficult, thank you guys and one girl 😉 Everybody else can’t even imagine what a hell work it was for this team during last year. Also we would like to say thank the people in VMWare Inc. and DrWeb AV Lab. The special thank you to the independent researches which names we can’t tell due to security reasons. And finally, we choose this place to post this article because of some reasons.
Thanks.