Prologue

Rootkit created: approximately the fall of the 2006, beginning of the 2007.
First time it is revealed: accidentally in the fall of the June 2007.
Unpacked and analyzed: October 2007 by SEYE Emulator.
First time unofficially published information: November 2007 by USForce (SysInternals Forums).
Officially revealed and demystified: DrWeb Antivirus Lab. April-May 2008.
Active Undetectable Lifetime: Approximately 1.5 years (It is an absolute record for Windows-oriented malware).
TTL: Approximately 1 year (passed)

Rootkit origin: Russian Federation
Rootkit Ancestor: Rustock.B (revealed – June 2006)
Rootkit Successor: Rustock.D (probably still unrevealed if exists)
Rootkit Series Author(s): Unknown origin Russian Federation.



The Power of Rustock.C


Rustock.C is the most powerful rootkit, ever been found under Windows up to the current time. Its key features which make it so powerful and so undetectable are:

1. Most advanced polymorphic protector ever seen in the malware area up to current date
2. Stealth by design implementation
3. Anti AntiRootkits part
4. Extremely effective firewall bypassing
5. Extremely effective support management


Polymorphic protector

Specially created mechanisms and methods which do the following:

1. Deadly effective against kernel mode debugging and tracing
2. Deadly effective against signatures based detection methods and modern heuristics
3. Dramatically slow downs reverse-engineering process (even for qualified specialists)


Rustock.C polymorphic protector part represents a combination of most of the known antidebugging tricks and tips implemented in the kernel mode based engine. Never seen before.

The protector itself contains several layers with the different degrees of the code morphing. Protector controls DR registers and counteracts debugging with such tools as Syser or SoftIce. Rustock.C makes completely impossible using of the WinDBG.

It is very hard to unpack, but not impossible. Everything what can be executed – can be cracked.


Stealth by Design Implementation

You maybe wondering who this staff working? When everything becomes under control and there are not so many ways to get into the kernel mode. Do you still wondering? The time of the pure trojans has left. New generation of the trojans not only successfully works in the kernel mode but also become a part of the operation system itself. Let’s left behind rumors and idiocy such as Blue Pill and concentrate all our attention on the two questions.

How? And Where?

You maybe wondering but you can watch over this rootkit running on your system each day for the months (and even Years!) and never think that this is the piece of malware.

So How?

Rustock.C is the first full functional kernel mode virus. Its targets – innocent Microsoft Windows system drivers located in the X:\WINDOWS\SYSTEM32\DRIVERS directory, where X – your system disk and it is no matter signed them or not – this wouldn’t help enough.

Your prevention system can’t stop rootkit from loading, by the two reasons: it is loading before HIPS and it is trusted Microsoft system driver.

C:\WINDOWS\SYSTEM32\DRIVERS\IMAPI.SYS --> Size mismatch between Windows API and raw data --> 41856 bytes / 329080 bytes

The rootkit is working on the lowest levels of the system. Virus part of the rootkit locates victim by the following criteria: victim should be Microsoft compiled driver and it must have Boot or System start flags in the Registry. Then it “owns” victim by combining original innocent driver with the rootkit body. The difference in the size between original and infected drivers hides with help of the few smart inline (splice) hooks in the another system drivers responding for the file system support and operation. Such drivers as ntfs.sys for NTFS and fastfat.sys for the FAT32.

For example on the FAT32 systems rootkit sets the following hooks:

fastfat.sys --> [IRP_MJ_CLOSE]
fastfat.sys --> [IRP_MJ_CREATE]
fastfat.sys --> [IRP_MJ_DIRECTORY_CONTROL]
fastfat.sys --> [IRP_MJ_QUERY_INFORMATION]
fastfat.sys --> [IRP_MJ_READ]
fastfat.sys --> [IRP_MJ_SET_INFORMATION]
fastfat.sys --> [IRP_MJ_WRITE]
fastfat.sys --> [Base + 0x00008405]


As you see Rustock.C hooks several IRP handlers which are responsible for the common FS operations. Here also protection from overwriting and reading infected data. On the NTFS volume the hooks will be same but in the ntfs.sys

Remarkable!

ntfs.sys or fastfat.sys also could be a victims of the rootkit.

Rustock.C have a special mechanism – its walking through system drivers. Disinfecting previous victim and infecting new one. So if you even locate this infected driver, infection can migrate to another file and you will miss the target.

AntiRootkits can’t see these rootkit because: They don’t know for what (and how) they should look for.

And also because all of them, except three-four products are totally lame and unacceptable solution for defeating – revealing rootkits (even old).

On the FAT32 volumes these technique is so effective - the most advanced public antirootkit available today – GMER v1.14+ doesn’t see anything. Absolutely zero. There are exists only 4 antirootkits in the full meaning of this word – GMER/RKU/ICESWORD/RKTRAP. Everything else is just a trash.

The source of hooks looks like this. It is remarkable solution, because public antirootkit available today doesn’t powerful enough to detect such code modification and trace them successfully.


push    cs             
nop
sub     esp, 4
mov     dword ptr [esp], 81122FFEh
retf

13 byte length inline hook

Again it is Remarkable.

This rootkit doesn’t have any processes, files or registry entries. It’s becoming a part of the operation system, which is impossible to simple remove by delete without killing Windows.

It’s exists as a scope of threads working somewhere in the allocated memory in the kernel mode. And you can’t even trace them by Start Address because this is the bad idea from the beginning, simple because it is very easy to bypass by determination. Here is the small example

0x820D5A4C PAGE WITH EXECUTABLE CODE
0x820BC7FA PAGE WITH EXECUTABLE CODE
0x820AD7F6 PAGE WITH EXECUTABLE CODE
0x820A5F29 PAGE WITH EXECUTABLE CODE
0x820D3740 PAGE WITH EXECUTABLE CODE
0x820AF662 PAGE WITH EXECUTABLE CODE
0x8209E5C7 PAGE WITH EXECUTABLE CODE
0x820D54F4 PAGE WITH EXECUTABLE CODE
0x820CB2BC PAGE WITH EXECUTABLE CODE
0x820BF280 PAGE WITH EXECUTABLE CODE
0x8214B1B0 PAGE WITH EXECUTABLE CODE

For bypassing firewalls this rootkit uses several inline hooks in the network drivers.

tcpip.sys --> [IRP_MJ_CREATE]
tcpip.sys --> [IRP_MJ_INTERNAL_DEVICE_CONTROL]
tcpip.sys --> [Base + 0x00003CFA]
wanarp.sys --> [Base + 0x000053FD]

There is nothing really new here. More to say, looks like network part of this rootkit wasn’t heavy changed since version B.

This rootkit will successfully work on the following Windows.

x86 Windows 2000 (SP1, SP2, SP3, SP4)
x86 Windows XP (SP1, SP2, SP3)
x86 Windows 2003 (SP1, SP2)
x86 Windows Vista

But that is not all!

Even more – some staff just waiting yours attention.

As you probably know previous versions of these rootkit suffers from pure love to SYSENTER, IDT hooking. The first A version of Rustock simple hooks SYSENTER by replacing original handler address with it own. The second B version of Rustock extends these by building a little gate inside loaded ntoskrnl.exe to the actual handler located inside malicious code.

The third C variant brings more fun here.

Rustock.C instead of previous variants hooks directly SSDT dispatcher unexported function called _KiSystemService (this is actual internal Microsoft name of it).

Hooking this function grants rootkit exclusive ability to filter EVERY system call passed from user mode, even calls of the Graphics, Messages subsystems.

And it filters!

Example:

kernel32.dll:TerminateProcess --> ntdll.dll:NtTerminateProcess-->sysenter or INT2E-->Kernel Mode -->_KiSystemService-->Actual Kernel Service.

Here the hook

ntkrnlpa.exe --> [Base + 0x000695F0]

The following functions are under control of Rustock.C

NtCreateThread
NtCreateThreadEx
NtDelayExecution
NtDuplicateObject
NtOpenThread
NtProtectVirtualMemory
NtQuerySystemInformation
NtReadVirtualMemory
NtResumeThread
NtTerminateProcess
NtTerminateThread
NtWriteVirtualMemory

Okay, let’s explore some of them. What is the purpose of these hooks? What they hide? Or what they protect?

Basically Rustock.C contains two parts – kernel mode backdoor and user mode spam sending library. Rootkit injects this library into winlogon.exe process. It is very comfortable, because this process always trusted for firewalls and this can’t be changed due to operation system specific.

You maybe wondering again, spam library inside winlogon.exe should be very easy to detect isn’t it? Of course. But do you really think, author of Rustock doesn’t know about this? So he made a special protection layer for this library. It is mapped in winlogon.exe memory and doesn’t exist in PEB LDR lists. Memory range occupied by this library protected with help of NtReadVirtualMemory, NtWriteVirtualMemory, NtProtectVirtualMemory hooks, so it can be dumped with usual tools, including most AntiRootkits. Library contains threads executing in user mode. They are hidden from Windows API with help of NtQuerySystemInformation, NtOpenThread, NtTerminateThread hooks. It is first time when rootkit hides user mode threads from being detected. Amusing – so many hooks and all this working?! Yes – and extremely stable we must admit. Even in MPC environment this rootkit works more stable than most of the HIPS oriented Antiviruses.

That’s not all. Surprise – surprise!

Almost decrypted driver rootkit body mirrored in the winlogon.exe memory, it is also protected from reading, writing requests. But if you will successfully dump these memory regions (from driver e.g.) you can watch a lot of very interesting strings such as:

RUSTOCK
TCPIP_WANARP
Microsoft CorpMicrosoft
Microsoft(R) Windows (R)
ks.sys
videoprt.sys
wmilib.sys
hal.dll
ntoskrnl.exe
services.exe
\BaseNamedObjects\%0.8X-%0.4X-%0.4X-%0.4X-%0.8X%0.4X
TransportAddress
ConnectionContext
winlogon.exe

Hence here is the famous pdb string Z:\NewProjects\spambot\rustock.c\driver\asm_\driver.pdb

And even more strings to you from botdll.dll (this is actual name!)

208.66.194.215
gmail.com
hotmail.com
yahoo.com
aol.com
z:\NewProjects\spambot\rustock.c\release\botdll.pdb

Tremendous. And here we come to the last part of our little journey. Look on IP address. It is valid and ping-able. It is time to tell you, who author of this rootkit and for what he stand and which force he represents.

Detection, curing and prevention

Without special tools it would be very difficult to detect and cure infected machine. Your Antiviruses, AntiSpywares can’t help you. Even your HIPS will be unable to help, because this rootkit successfully bypassed it while self installation period.

Detection

Monitor changes of the sizes of the executable files in windows directory. More than 10Kb – you are the part of botnet.

Cure

We recommend everybody backup system drive and create bootable compact disk, all what you need – replace all files in the WINDOWS\SYSTEM32\DRIVERS directory with backups. Or use DrWeb, since this is the only one AV which can cure and detect infection while rootkit is alive. Everybody else lying you – they can and see NOTHING.

Prevention

Restricted user account of the Windows Vista x64 with SP1 installed. Or Windows Vista x32 SP1, because this rootkit will not run on it.


Back To The Roots!

Time to show you some truth.
Lets trace IP given by rootkit itself.

208.66.194.215
IP address: 208.66.194.215

No host name is associated with this IP address or no reverse lookup is configured.

Error:Host not found

208.66.194.215 is from United States(US) in region North America

TraceRoute to 208.66.194.215
Hop (ms) (ms) (ms)
IP Address Host name
1 12 5 12
72.249.0.65 -
2 23 7 6
8.9.232.73 ge-6-18.car1.dallas1.level3.net
3 13 11 6
4.68.19.134 ae-34-89.car4.dallas1.level3.net
4 17 7 6
64.208.110.205 -
5 51 51 56
64.209.96.246 -
6 55 54 56
208.66.192.26 vl-701.rt02.sjc.mccolo.com
7 51 51 52
208.66.194.215 -

Trace complete

Network IP address lookup:

whois query for 208.66.194.215...

Results returned from whois.arin.net:

McColo Corporation MCCOLO (NET-208-66-192-0-1)
208.66.192.0 - 208.66.195.255
Western Services MCCOLO-DEDICATED-CUST1242 (NET-208-66-194-184-1)
208.66.194.184 - 208.66.194.225

Results returned from whois.arin.net:


OrgName: Western Services
OrgID: WESTE-50
Address: 2207 Renaissance Blvd
City: Grand Junction
StateProv: CO
PostalCode: 81503
Country: US

NetRange: 208.66.194.184 - 208.66.194.225
CIDR: 208.66.194.184/29, 208.66.194.192/27, 208.66.194.224/31
NetName: MCCOLO-DEDICATED-CUST1242
NetHandle: NET-208-66-194-184-1
Parent: NET-208-66-192-0-1
NetType: Reassigned
Comment:
RegDate: 2006-11-16
Updated: 2006-11-16

RTechHandle: RPO46-ARIN
RTechName: Portland, Robert
RTechPhone: +1-970-216-7384
RTechEmail: westernserv@gmail.com

OrgTechHandle: RPO46-ARIN
OrgTechName: Portland, Robert
OrgTechPhone: +1-970-216-7384
OrgTechEmail: westernserv@gmail.com


So, it is valid IP address of the deducated server of the http://www.mccolo.com

Wondering why this rootkit named NTLDRBOT?

Here is the answer.

Author (or some of the authors) of this rootkit known as ntldr, his profile can be found here http://freed0m.org and here http://cracklab.ru

Lets trace both places. Wondering? That's not all!

IP address: 208.72.168.146
Host name: cracklab.ru
208.72.168.146 is from United States(US) in region North America

TraceRoute to 208.72.168.146 [cracklab.ru]
Hop (ms) (ms) (ms)
IP Address Host name
1 8 5 5
72.249.0.65 -
2 11 6 6
8.9.232.73 ge-6-18.car1.dallas1.level3.net
3 11 8 13
4.68.19.198 ae-44-99.car4.dallas1.level3.net
4 6 6 6
64.208.110.205 -
5 52 52 52
64.209.96.246 -
6 51 51 51
208.66.192.25 -
7 Timed out Timed out Timed out

-
8 Timed out Timed out Timed out

-
9 Timed out Timed out Timed out

-
10 Timed out Timed out Timed out

-

Trace aborted.

whois query for cracklab.ru...

Results returned from whois.ripn.net:

% By submitting a query to RIPN's Whois Service
% you agree to abide by the following terms of use:
% http://www.ripn.net/about/servpol.html#3.2 (in Russian)
% http://www.ripn.net/about/en/servpol.html#3.2 (in English).

domain: CRACKLAB.RU
type: CORPORATE
nserver: ns2.nameself.com.
nserver: ns1.nameself.com.
state: REGISTERED, DELEGATED
person: Evgeny A Lebedev
phone: +7 812 3804432
e-mail: bad_guy@mail333.com
e-mail: electrolab@yandex.ru
registrar: RUCENTER-REG-RIPN
created: 2004.03.10
paid-till: 2009.03.10
source: TC-RIPN

Retrieving DNS records for cracklab.ru...

DNS servers
ns2.nameself.com [217.16.27.36]
ns1.nameself.com [195.161.113.218]

Answer records
cracklab.ru 1 SOA
server: ns1.nameself.com
email: support@regtime.net
serial: 2008011917
refresh: 7200
retry: 3600
expire: 604800
minimum ttl: 86400
28800s
cracklab.ru 1 NS ns1.nameself.com 28800s
cracklab.ru 1 NS ns2.nameself.com 28800s
cracklab.ru 1 A 208.72.168.146 28800s

Authority records

Additional records
ns1.nameself.com 1 A 195.161.113.218 3600s
ns2.nameself.com 1 A 217.16.27.36 3600s

Network IP address lookup:

whois query for 208.72.168.146...

Results returned from whois.arin.net:


OrgName: McColo Corporation
OrgID: MCCOL
Address: 64 East main st. box 275
City: Newark
StateProv: DE
PostalCode: 19715
Country: US

NetRange: 208.72.168.0 - 208.72.175.255
CIDR: 208.72.168.0/21
NetName: MCCOLO
NetHandle: NET-208-72-168-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS01.MCCOLO.COM
NameServer: NS02.MCCOLO.COM
Comment:
RegDate: 2006-11-17
Updated: 2006-11-17

OrgTechHandle: MCCOL1-ARIN
OrgTechName: McColo NOC
OrgTechPhone: +1-914-455-5598
OrgTechEmail: noc@mccolo.com


And now lets trace freed0m.org - the homepage of Rustock.C authors.

Surprise!


IP address: 208.72.168.146
Host name: freed0m.org
208.72.168.146 is from United States(US) in region North America

TraceRoute to 208.72.168.146 [freed0m.org]
Hop (ms) (ms) (ms)
IP Address Host name
1 160 10 218
72.249.0.65 -
2 6 6 11
8.9.232.73 ge-6-18.car1.dallas1.level3.net
3 6 7 6
4.68.19.198 ae-44-99.car4.dallas1.level3.net
4 9 12 15
64.208.110.205 -
5 56 54 51
64.209.96.246 -
6 51 51 51
208.66.192.25 -
7 Timed out Timed out Timed out

-
8 Timed out Timed out Timed out

-
9 Timed out Timed out Timed out

-
10 Timed out Timed out Timed out

-

Trace aborted.

whois query for freed0m.org...

Results returned from whois.publicinterestregistry.net:

Domain ID:D141757914-LROR
Domain Name:FREED0M.ORG
Created On:18-Mar-2007 05:30:13 UTC
Last Updated On:21-Mar-2008 07:36:46 UTC
Expiration Date:18-Mar-2009 05:30:13 UTC
Sponsoring Registrar:OnlineNIC Inc. (R64-LROR)
Status:CLIENT UPDATE PROHIBITED
Status:AUTORENEWPERIOD
Registrant ID:ONLC-2643415-4
Registrant Name:Vitaly Stenogryzov
Registrant Organization:freed0m company
Registrant Street1:Moscow city
Registrant Street2:Moscow city
Registrant Street3:
Registrant City:Moscow
Registrant State/Province:fig znaet
Registrant Postal Code:690000
Registrant Country:RU
Registrant Phone:+7.9242321468
Registrant Phone Ext.:
Registrant FAX:+7.123456789
Registrant FAX Ext.:
Registrant Email:root@freed0m.org
Admin ID:ONLC-2643415-1
Admin Name:Vitaly Stenogryzov
Admin Organization:freed0m company
Admin Street1:Moscow city
Admin Street2:Moscow city
Admin Street3:
Admin City:Moscow
Admin State/Province:fig znaet
Admin Postal Code:690000
Admin Country:RU
Admin Phone:+7.9242321468
Admin Phone Ext.:
Admin FAX:+7.9242321468
Admin FAX Ext.:
Admin Email:root@freed0m.org
Tech ID:ONLC-2643415-2
Tech Name:Vitaly Stenogryzov
Tech Organization:freed0m company
Tech Street1:Moscow city
Tech Street2:Moscow city
Tech Street3:
Tech City:Moscow
Tech State/Province:fig znaet
Tech Postal Code:690000
Tech Country:RU
Tech Phone:+7.9242321468
Tech Phone Ext.:
Tech FAX:+7.9242321468
Tech FAX Ext.:
Tech Email:root@freed0m.org
Name Server:NS1.NAMESELF.COM
Name Server:NS2.NAMESELF.COM
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:
Name Server:

Retrieving DNS records for freed0m.org...

DNS servers
ns2.nameself.com [217.16.27.36]
ns1.nameself.com [195.161.113.218]

Answer records
freed0m.org 1 SOA
server: ns1.nameself.com
email: support@regtime.net
serial: 2008032110
refresh: 7200
retry: 3600
expire: 604800
minimum ttl: 86400
28800s
freed0m.org 1 NS ns2.nameself.com 28800s
freed0m.org 1 NS ns1.nameself.com 28800s
freed0m.org 1 TXT v=spf1 a mx -all 28800s
freed0m.org 1 MX
preference: 0
exchange: freed0m.org
28800s
freed0m.org 1 A 208.72.168.146 28800s

Authority records

Additional records
ns1.nameself.com 1 A 195.161.113.218 3600s
ns2.nameself.com 1 A 217.16.27.36 3600s
freed0m.org 1 A 208.72.168.146 28800s

Network IP address lookup:

whois query for 208.72.168.146...

Results returned from whois.arin.net:


OrgName: McColo Corporation
OrgID: MCCOL
Address: 64 East main st. box 275
City: Newark
StateProv: DE
PostalCode: 19715
Country: US

NetRange: 208.72.168.0 - 208.72.175.255
CIDR: 208.72.168.0/21
NetName: MCCOLO
NetHandle: NET-208-72-168-0-1
Parent: NET-208-0-0-0-0
NetType: Direct Allocation
NameServer: NS01.MCCOLO.COM
NameServer: NS02.MCCOLO.COM
Comment:
RegDate: 2006-11-17
Updated: 2006-11-17

OrgTechHandle: MCCOL1-ARIN
OrgTechName: McColo NOC
OrgTechPhone: +1-914-455-5598
OrgTechEmail: noc@mccolo.com


Almost the same information. We can conclude that this two sites are related to each other. Looking on Rustock.C and cracklab.ru orientation we are not anymore wondering. They are the same. Looks like botnet owned by Rustock series directly related to russian crackers underground. Dedicated servers in the USA, where Russian Federal Security Service can't get access.

The most pity in all of this - botnet masters even do not hide them self. And it is impossible to do something with them.


Chronicles of the Zeroday 6 - 8 May 2008


The First Day

“It is not exists!”
Yeah, it was a first official reaction of the Antivirus employees from almost all antivirus companies.


“Well we prevent it!”
Official reaction of the companies making Firewalls and HIPS. Besides – No they can’t.


“Hmmm, DrWEB dirty PR move?”
Official reaction of both when they realized that they can’t find it without third-party help.

“Z-z-z-z-z-z-z-z”
Official reaction of hax0rs everywhere. These “true” hackers were unable to believe in such thing, well maybe because they were so lame all these time?


The Day Two

“It is exists, but not widely spread… well we will add it to the bases…”

Official reaction of the Antivirus companies. Adding to virus bases doesn’t mean the detecting and curing of this beastie. And we must tell you (it’s a secret besides) – all they except DrWeb can’t detect and cure infection while this rootkit is active.

“What a hell! Give a dropper!!”

Official hysterics from HIPS developers and kids like Ilya Rabinovich.

“Lets disassemble it! Where is my Olly?”

Official reaction from russian hax0rs.


The Day Three

“Okay, added! Is the dropper available?”

The official reaction from Antivirus companies.


“Give a dropper!! Give a dropper! Give me something!!!!!”

The continuing hysterics of the HIPS developers.

“It is impossible to run and analyze… huh somebody help? Z0mbie where are you? ”

Official reaction from russian hax0rs.

The End

We would like to thank the people in Microsoft Corporation who have given to us the remarkable tool, capable to find out all parts of this rootkit and successfully resist to it. Without this tool it would be much more difficult, thank you guys and one girl Everybody else can’t even imagine what a hell work it was for this team during last year. Also we would like to say thank the people in VMWare Inc. and DrWeb AV Lab. The special thank you to the independent researches which names we can’t tell due to security reasons. And finally, we choose this place to post this article because of some reasons.

Thanks.

read comments (7) / write comment

recent comments:

Nice History	Yorick	04.Jun:00:39
Great article!	spetsnaz	29.May:22:48
too hyped .....	valerino	29.May:15:24
driver infection?	ShiftStick	27.May:20:09
=))	x1337	25.May:23:40

. . .

views: 21069   printer-friendly version