Rustock, also known as “Spambot”, is a family of back door programs with advanced user and kernel mode rootkit capabilities. Rustock has constantly been in development since around November, 2005. Rustock is a tough threat to combat because of its approach of combining multiple evasion techniques to remain undetected by commonly used rootkit detectors, such as Rootkit Revealer, IceSword, and BlackLight.
To start with, Rustock is downloaded from remote Web sites that host Web browser exploits and is then installed on unpatched computers. Along with the Rustock threat, a downloader will download other malicious code and even a misleading application, Spy Sheriff.
The second version of Rustock, named Rustock.B, employs even more sophisticated techniques than its predecessor – the original Rustock.A. Its advanced rootkit techniques, unique way of system hooking, and use of a polymorphic dropper (combined with a spam component) allow it to hide from many antivirus and antispyware vendors, as well as bypass firewalls and many rootkit detectors.
To obtain a “deep dive” on how Rustock works and why it is currently able to defeat so many security vendors, please visit Symantec's Handling Today's Tough Security Threats Web site. Once on the site, please look for the Rustock High Level Overview and Rustock Technical Overview Webcasts and click on their links to listen to the Webcasts.