Video Screencast Help
Security Response

Raising the Bar: Rustock.A and Advances in Rootkits

Created: 29 Jun 2006 07:00:00 GMT • Updated: 23 Jan 2014 18:59:08 GMT
Elia Florio's picture
0 0 Votes
Login to vote

The never-ending game of hide-and-seek between the antivirus industry and rootkits has begun a new chapter. Recently our lab discovered a new rootkit sample in the wild that is very unique given the techniques it uses. It was named Backdoor.Rustock.A, and because of its special characteristics it can be considered the first born of the next generation of rootkits. Rustock.A consists of a mix of old techniques and new ideas that when combined make a malware that is stealthy enough to remain undetected by many rootkit detectors commonly used (such as RootkitRevealer, BlackLight and IceSword). We consider it to be an advanced example of "stealth by design" malicious code. [1]

So, why is Rustock.A so special? Many rootkit detectors use a cross-view based detection algorithm. This means that they detect hidden objects by finding the discrepancies between a high-level view and a low-level view. For example, a simple rootkit detector can enumerate the list of processes using a method similar to Windows Task Manager, and then it will try to enumerate the processes again using different low-level methods. If everything is ok, the obtained lists will not have differences or discrepancies. Here are some of the reasons that Rustock.A is turning heads:

- Rootkit detectors can detect hidden processes, but Rustock.A has no process. The malicious code runs inside the driver and in kernel threads.
- Rootkit detectors find hidden files, so Rustock.A uses NTFS Alternate Data Stream
to hide its driver into the "\System32:18467" ADS. In addition, this ADS can't be enumerated by ADS-aware tools since it is protected by the rootkit.
- Some detectors check for the presence of system hooks by analyzing native API
and scanning for hooked functions, however Rustock.A does not hook directly any native API.
- Rootkit detectors also check for the integrity of some kernel structures like the Service Descriptor Table, but Rustock.A controls kernel functions by hooking MSR_SYSENTER and other special IRP functions. [2]
- Rootkit detectors try to detect hidden drivers, but Rustock.A removes its entries from many kernel structures including the Services Control Manager, Object manager, and the loaded module list so that this enumeration fails.
- Last, but perhaps not least, the SYS driver is polymorphic and changes its code from sample to sample.
Moreover, the malware contains aggressive rootkit technologies because it scans for the following strings in loaded programs, and then changes its behavior to avoid any detection:
- BlackLight
- Rootkitrevealer
- Rkdetector

All of the features that I have mentioned here make Backdoor.Rustock.A totally invisible on a compromised computer when installed. It even seems able to achieve all of its stealth functionality without any problems on a beta version of Microsoft Windows Vista (6.0.5270). We believe that Rustock.A is probably a Russian creature, and it contains the string "G:\bot-mailer\007spambot-01\driver\objfre", which leads us to believe that we'll undoubtedly see new versions of this malware. So, the bar is raised again.

References:

[1] http://www.invisiblethings.org/papers/rutkowska_bheurope2006.ppt
[2] "Subverting the Windows Kernel" by Greg Hoglund (http://www.rootkit.com)