|
|
Post Reply 
|
Page <1 567 |
| Author |
 Share Topic Printable Version Delicious Digg Facebook Furl Google MySpace Newsvine reddit StumbleUpon Translate Twitter Windows Live Yahoo Bookmarks Topic Search  Topic Options
|
|
EP_X0FF 
Senior Member 
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
 Topic: Rustock Trojan SeriesPosted: 30 August 2007 at 7:32pm |
|
Yes. Hi, fcukdat. I can only guess, that this rootkit Srizbi is based on PE386 earlier sources, which perhaps were sold to somebody.
This is not confirmed information from our sources. And we think that is true. It is hard to imagine that we have two completely undetected malware rootkits and very hard to believe, especially after releases of so many antirootkits and their evolution last year. We think that new rootkit uses packer of driver/dropper similar to phide_ex but more advanced. We think it also undetectable by current level of implementation RkU and out-of-date tools like GMER or IceSword (I do not telling about other ark, because they are sh*t). Thats is pure theory. Getting only one workable dropper of C or D can do a revolution in rkdetection. |
||
|
Ring0 - the source of inspiration
|
||
 |
||
|
fcukdat
Senior Member
Joined: 02 September 2006 Location: United Kingdom Online Status: Offline Posts: 374 |
Posted: 30 August 2007 at 4:12pm |
|
|
Hey EP
Just following on from a post you made at wilders and speculating about timelines etc
Runtime2.sys(Cutwail/Bulknet) first started appearing around Feb07+
Since Srizbi targets a malware that did'nt appear until long after many type B were in the wild maybe it is C variant afterall ?
|
||
|
___________
Ade Gill Malwarebytes Researcher |
||
|
||
|
Elite
Senior Member
Joined: 15 April 2007 Location: United States Online Status: Offline Posts: 175 |
Posted: 30 August 2007 at 1:38pm |
|
|
Rustock.D???
What ever happened to Rustock.C? I have yet to come across anything more advanced than Rustock.B. I'd imagine pe386 is using the method of drive hiding that he used in phide_ex demo and like you had planned in later Unreal variants? I'd guess new Rustocks can also bypass raw disk scanning too? |
||
|
||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Posted: 30 August 2007 at 12:00pm |
|
Ah okay, like this pill thing of Rutkowska, I forgot the original name of this little matrix checker, but something with pill..
Yes, probably there are many possibilities. Beside I checked the last RKu version and found for the first time stealth code: Unknown page with executable code Address: 0x86904D92 Size: 622 Unknown page with executable code Address: 0x86823DE2 Size: 542 Unknown page with executable code Address: 0x86818BD8 Size: 1064 Unknown page with executable code Address: 0x868189C9 Size: 1591 Unknown page with executable code Address: 0x8681D706 Size: 2298 ntkrnlpa.exe-->IoCreateDevice, Type: EAT modification at address 0x8066E574 hook handler located in [unknown_code_page] 868185E0 tcpip.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xAED72F88 hook handler located in [unknown_code_page] 868185E0 wanarp.sys-->ntkrnlpa.exe-->IoCreateDevice, Type: IAT modification at address 0xF763CC08 hook handler located in [unknown_code_page] 868185E0 tcpip.sys-->ndis.sys-->NdisOpenAdapter, Type: IAT modification at address 0xAED72F54 hook handler located in [vsdatant.sys] tcpip.sys-->ndis.sys-->NdisRegisterProtocol, Type: IAT modification at address 0xAED72F60 hook handler located in [vsdatant.sys] I guess it comes from ZoneAlarm. Edited by SystemPro - 30 August 2007 at 12:08pm |
||
|
||
|
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
Posted: 30 August 2007 at 6:49am |
|
|
Detection of software VM doesn't need "signatures" or something like that. It is pure mathematics. Bypassing firewalls is possible by using yourself implemented tcp/ip stack machine and direct work with network hardware. Prevx can claim everything what it want.
|
||
|
Ring0 - the source of inspiration
|
||
|
||
|
SystemPro
Senior Member
Joined: 26 April 2007 Location: Germany Online Status: Offline Posts: 504 |
Posted: 30 August 2007 at 3:57am |
|
I guess they donīt know all vmīs, so detection is possible with unknown vmīs. Bypassing of all firewalls and avs is possible by corrupting/circumventing virtual memory, right? (at least Prevx claims that) |
||
|
||
|
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
Posted: 30 August 2007 at 1:19am |
|
Thank you, it would be really interesting to see what is it. |
||
|
Ring0 - the source of inspiration
|
||
|
||
|
fcukdat
Senior Member
Joined: 02 September 2006 Location: United Kingdom Online Status: Offline Posts: 374 |
Posted: 30 August 2007 at 1:10am |
|
|
Thanks for the history update
 I have windev.sys driver in my zoo and quite a few Rustock variants.I will upload/share them for your inspection !
|
||
|
___________
Ade Gill Malwarebytes Researcher |
||
|
||
|
EP_X0FF
Senior Member
Joined: 08 March 2006 Location: Russian Federation Online Status: Offline Posts: 4753 |
Posted: 29 August 2007 at 9:16pm |
|
|
Hello,
Rustock trojan series is the most technically advanced malware from the available today. Unique part of this trojan is deep kernel mode implementation, antidetection and networking. List of currently available Rustock and its variants (maybe not full). Most of them was revealed with free HIDS tools or with help of HIPS. i386.sys sysbus32.sys (2006) wincom32.sys (2006?) SSDT patching and IRP hooking ??windev.sys (2006?) No information pe386.sys (2006) Featured SYSCALL hooking / driver stealth mni41.sys (2006)* *Could have random driver name. SSDT inline hooking, IRP hooking Packed with polymorphic protector similar to next versions TCP/IP stack machine (firewalls bypassing) Competitors removal (ntio256.sys and runtime2.sys) As you can see, this version was detected only few month ago. huy32.sys (2006) Beta of Rustock.B Contains several functionality from the main version lzx32.sys (2006) Currently the most advanced kernel mode rootkit that was detected. SYSCALL inline hooking ADS implemented hidding (different variants uses different ways to do that) TCP/IP stack machine (firewalls bypassing) Advanced antidetection (contains black list of antirootkits - RKR, IceSword, DarkSpy, Blacklight, GMER) Dropper and driver are packed with advanced protector Rustock.C (2006) ??Rustock.D (2007?) Deep kernel mode implementation All firewalls and antiviruses bypassing Self defense (DKOM and partially DKOH) Anti antirootkit part (most popular antirootkits are bypassed) Anti vm (vm's are detected and execution prevented) Anti debugging Polymorphic packer for drivers and droppers (unique, private packer+protector for drivers) For us is completely no sense for which purposes ("ethical aspects" and other sh*t) was developed this series and what its doing right now. We interested only in rootkit technology itself, because it can (and previous versions already) dramatically improve detection abilities of all currently developed modern antirootkits (RkU, gmer, IceSword). So if somebody can add some information about Rustock or something about its multiple variants we will be happy. |
||
|
Ring0 - the source of inspiration
|
||
|
||
|
Post Reply
|
Page <1 567 |
| Forum Jump | Forum Permissions You cannot post new topics in this forum You cannot reply to topics in this forum You cannot delete your posts in this forum You cannot edit your posts in this forum You cannot create polls in this forum You cannot vote in polls in this forum |
Rustock Trojan Series