It has been observed that a multi-component family of rootkit-enabled backdoor Trojans named Rustock is spreading in the wild which has been known primarily as a prolific spam source. It comes to the system as attachments in spammed mails or dropped by other malware (Trojan “ Costrat” variants ).

Some variants are appearing to be associated with the incidence of rogue security programs.

It is reported that some of the variants exploits the Windows Server Service vulnerability ( MS08-067 , CIVN-2008-170 ) to compromise systems and propagate.

Trojan Rustock is capable of hiding files and processes by modifying functions in the Windows file NTOSKRNL.EXE , which handles basic Windows functions on NT-based (Windows 2000, XP, and Server 2003) systems. This Trojan also displays backdoor capabilities by running its code within the context of services.exe.

Trojan Rustock consists of 3 components which are embedded within each other - the dropper (which runs in user mode), the driver's installer, and the actual rootkit driver, (both of which run in kernel mode). All of the Trojan's components are encrypted, and the actual driver component is also packed with plib.

The dropper facilitates updates and the deployment of the rootkit's driver installer. The installer is first decrypted, and then dropped and try to loaded as a legitimate system driver. This is done by stopping legitimate system drivers using service control manager (SCM) and overwrites it with the rootkit driver and loads it. And if unsuccessful it will drops the driver with a random /hard coded names.

Aliases

• BKDR_RUSTOCK.A(Trendmicro)

• Backdoor.Rustock.B(Symantec)

• Spam-Mailbot(Mcafee)

Upon execution the Rustock variants:

• Drops any of the random files:

zofgaziv.sys, yzsrx.sys, toqztgpcbecdnx.sys (%Windir%\System32/drivers), and a log file [RANDOM].tmp.log(%Temp%)

• Creates the following registry keys:

o HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386 \SECURITY

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\IMAGEPATH="??\%WINDIR%\SYSTEM32:LZX32.SYS"

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\START="1"

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\GROUP="BASE"

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\EXTPARAM=""

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\SECURITY\SECURITY=" (BINARY REGISTRY DATA)

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\ERRORCONTROL="0"

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\TYPE="1"

o KEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\PE386\DISPLAYNAME="WIN23 LZX FILES LOADER"

• Modifies the following Application Programming Interfaces (API) by hooks the Windows kernel MSR_SYSENTER :

o ZwOpenKey o ZwEnumerateKey o ZwQueryKey o ZwCreateKey

• Creates the NTFS Alternate Data Stream %Windows%\System32:{Random number}.

• Attempts to hide itself from applications that contain the following strings:

o BlackLight o DarkSpy o Rkdetector o RootkitRevealer

• Scans Windows Kernel image in memory for the following string and replaces it with a malicious code that executes the Rootkit functions:

FATAL_UNHANDLED_HARD_ERROR

• Alters the correct functioning of the following system modules used for network communications to bypass firewalls and to perform network packet manipulations:

• May hijack web navigation and redirect HTTP traffic and attempts to post the following HTTP query on Google search engine:

[http://]www.google.com/search?hl=en&g=[KEYWORDS]

Where [KEYWORDS] is a random chosen keyword as in the following examples: o [http://]ww.google.com/search?hl=en&q=news%2Blove

o [http://]www.google.com/search?hl=en&q=data%2Bgames%2Bfree

o [http://]www.google.com/search?hl=en&q=enter

• Contact the following remote hosts:

o maila.microsoft.com o [http://]208.66.194.14/index.php?page=main

• Acts as a covert proxy on the compromised computer.

• When attempting to manually delete the Rustock driver component, the system behaves as if the file doesn’t exist

(see Below)

Countermeasures

• Delete files and the registry entries made by the Trojan Rustock mentioned above

• Install and maintain updated anti-virus software at gateway and desktop level

• Install and maintain Desktop Firewall and block the ports which are not required

• Use caution when opening attachments and accepting file transfers.

• Use caution when clicking on links to web pages.

• Apply appropriate patches as mentioned in CERT-In vulnerability note (CIVN-2008-170)

References

• [CERT-IN]

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.