Next Generation of Rustock.Rootkit variants ?

Analysis Content: Next Generation of Rustock.Rootkit variants ?
Released: 18.11.2008
Author of Analysis: Robert
Contact: robert@novirusthanks.org
Website: http://novirusthanks.org

My friend Steve sent me today a new possible variant of the famous Rustock.Rootkit !

The file I received was named unprotdmp and below there is the report of the scan:

Report Generated 17.11.2008 at 23.05.50 (GMT 1)
Time for scan: 26 seconds
Filename: unprotdmp
File size: 48 KB
MD5 Hash: 4D5F159DFBDEC338F6E8E83BAAA0B26F
SHA1 Hash: 26E87BE9EC0D41965DA6860AE617AF56A449778F
CRC32: 2928629155
Application Type: Executable (EXE) 32bit
Packer detected: Nothing found [Overlay] *
Self-Extract Archive: Nothing found
Binder Detector: File is possible binded with malware
ASCII Strings: View
Detection Rate: 3 on 23

Antivirus Result
a-squared Nothing found!
Avira AntiVir TR/Dropper.Gen
Avast Nothing found!
AVG Nothing found!
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Nothing found!
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Nothing found!
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Malware-Cryptor.Win32.General.3
VirusBuster Nothing found!

We can see a lot of very interesting strings inside the code of the file:

ExAllocatePool
ExFreePool
ZwQuerySystemInformation
ZwOpenKey
ZwCreateKey
%win
svchost.exe
ZwCreateEvent
TransportAddress
ConnectionContext
C:\progz\NewWork\driver\objfre\i386\driver.pdb
LoadLibraryA
GetProcAddress
SetEvent
Init
CreateThread
SleepEx
FATAL_UNHANDLED_HARD_ERROR

wcschr
ZwClose
ZwSetValueKey
wcslen
ZwCreateKey
RtlInitUnicodeString
ZwUnmapViewOfSection
ExFreePoolWithTag
swprintf
ExAllocatePoolWithTag
ZwMapViewOfSection
ZwOpenSection
PsTerminateSystemThread
KeDelayExecutionThread
ZwCreateEvent
ZwOpenEvent
PsCreateSystemThread
PsGetCurrentProcessId
ZwQuerySystemInformation
IoGetCurrentProcess
ZwDeleteKey
ZwEnumerateKey
ZwOpenKey
IoGetRelatedDeviceObject
ZwCreateFile
ZwReadFile
ZwQueryInformationFile
KeReleaseMutex
KeWaitForSingleObject
KeInitializeEvent
KeInsertQueueApc
KeInitializeApc
KeClearEvent
ObfDereferenceObject
PsLookupThreadByThreadId
IoFreeMdl
KeDetachProcess
MmMapLockedPages
KeAttachProcess
MmBuildMdlForNonPagedPool
IoAllocateMdl
MmUnmapLockedPages
NtSetInformationProcess
ObReferenceObjectByHandle
PsLookupProcessByProcessId
PsSetCreateProcessNotifyRoutine
KeInitializeMutex
wcstombs
IofCompleteRequest
ProbeForRead
KeGetCurrentThread
KeSetEvent
KeServiceDescriptorTable
MmProbeAndLockPages
ObfReferenceObject
SeDeleteAccessState
RtlCopyUnicodeString
SeSetAccessStateGenericMapping
RtlMapGenericMask
SeCreateAccessState
ObCreateObject
IoFileObjectType
IoFreeIrp
IoAllocateIrp
ZwOpenFile
IoReuseIrp
IoGetDeviceObjectPointer
ProbeForWrite
MmUnlockPages
IoCancelIrp
IofCallDriver
_allmul
KeUnstackDetachProcess
KeStackAttachProcess
ntoskrnl.exe
_except_handler3
ExReleaseFastMutex
ExAcquireFastMutex
HAL.dll
NDIS.SYS

IoGetRelatedDeviceObject
KeInitializeEvent
DbgPrint
IoAllocateMdl
KeInitializeDpc
ntoskrnl.exe

ImagePath
Type
Start
ErrorControl
\BaseNamedObjects\5B37FB3B-984D-1E57-FF38-AA681BE5C8D8
\registry\machine\system\CurrentControlSet\Services\%x
\SystemRoot\System32\drivers\%x.sys
\BaseNamedObjects\{60F9FCD0-8DD4-6453-E394-771298D2A470}
services.exe
\registry\machine\system\CurrentControlSet\Enum\Root\LEGACY_%ws
\SystemRoot\System32\ntdll.dll
%ws%ws
\Device\Tcp
svchost.exe
\SystemRoot\Temp\%u.tmp
.log
\registry\machine\system
\Device\Tcp

These are interesting strings uh !?

So lets do a small analysis only based on strings we found:

%win can stand for Windows Directory (similar to the Environment variable – %WinDir%)

svchost.exe can be a process where the malware will inject code.

C:\progz\NewWork\driver\objfre\i386\driver.pdb ==> Very interesting string, is different from all the other variants of Rustock.Rootkit and should stand for a new version of the malware !!!

HAL.dll – Windows Hardware Abstraction Layer (HAL), is a file that hides hardware complexities from Win applications.

NDIS.sys – Network Driver Interface Specification (NDIS) is an application programming interface (API) for network interface cards (NICs).

\registry\machine\system\CurrentControlSet\Services\%x is the path of the Services and %x should be the variable that will be overwritten with the malware Service name.

\SystemRoot\System32\drivers\%x.sys is the path where are stored drivers and %x should be the variable that will be overwritten with the name of the malware driver.

services.exe can be used by malware to load and start services or the malware can inject code into it.

We can also see that into the file have embedded 2 PE, so, maybe, one is the kernel driver of the rootkit and the other one is the user-mode botnet.

Unfortunately I can not test/run this sample so I can only show this small analysis, anyway very interesting code!

Another file that was present with this rootkit was named sxmg4.dll and below there is the report of the scan:

Report Generated 18.11.2008 at 0.13.08 (GMT 1)
Time for scan: 33 seconds
Filename: sxmg4.dll
File size: 68 KB
MD5 Hash: 15EB3167B2B87F168B1D997530D41003
SHA1 Hash: 206C3E2D26F051C988D38F3B22215F81AE68C54A
CRC32: 542643393
Application Type: Dinamyc Link Library (DLL) 32bit
Packer detected: Microsoft Visual C++ 6.0 DLL
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
ASCII Strings: View
Detection Rate: 5 on 23

Antivirus Result
a-squared Trojan.Win32.BHO.d!IK
Avira AntiVir Nothing found!
Avast Nothing found!
AVG Trojan horse BackDoor.Ircbot.GEV
BitDefender Nothing found!
ClamAV Nothing found!
Comodo Nothing found!
Dr.Web Nothing found!
Ewido Nothing found!
F-PROT 6 Nothing found!
G DATA Nothing found!
IkarusT3 Trojan.Win32.BHO.d
Kaspersky Nothing found!
McAfee Nothing found!
NOD32 v3 Win32/Adware.AntiSpyKing application
Norman Nothing found!
Panda Nothing found!
QuickHeal Nothing found!
Solo Antivirus Nothing found!
Sophos Nothing found!
TrendMicro Nothing found!
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm
VirusBuster Nothing found!

Import Tables:

KERNEL32.DLL
+GetTempPathA
+WaitForSingleObject
+GetLocalTime
+DisableThreadLibraryCalls
+InterlockedDecrement
+MoveFileExA
+LeaveCriticalSection
+EnterCriticalSection
+lstrlenW
+GetSystemDirectoryA
+GetWindowsDirectoryA
+GetModuleFileNameA
+GetTickCount
+DeleteCriticalSection
+InitializeCriticalSection
+SystemTimeToFileTime
+GetFileAttributesA
+GetModuleHandleA
+FindResourceA
+SizeofResource
+GetLastError
+WideCharToMultiByte
+Sleep
+lstrlenA
+MultiByteToWideChar
+CloseHandle
+InterlockedIncrement
ADVAPI32.dll
+RegNotifyChangeKeyValue
ATL.DLL
GDI32.dll
+GetDeviceCaps
MSVCP60.dll
+?_Xran@std@@YAXXZ
+??1_Winit@std@@QAE@XZ
+??0_Winit@std@@QAE@XZ
+??1Init@ios_base@std@@QAE@XZ
+??0Init@ios_base@std@@QAE@XZ
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ID@Z
+?rfind@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?_Freeze@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEXXZ
+?replace@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PAD0PBD@Z
+?resize@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEXI@Z
+?substr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBE?AV12@II@Z
+?erase@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@II@Z
+??0_Lockit@std@@QAE@XZ
+??1_Lockit@std@@QAE@XZ
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@0@Z
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@ABV12@II@Z
+??8std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??0?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@ABV?$allocator@D@1@@Z
+?append@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+?find@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QBEIPBDII@Z
+?npos@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@2IB
+?_C@?1??_Nullstr@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@CAPBDXZ@4DB
+?assign@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAEAAV12@PBDI@Z
+??9std@@YA_NABV?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@0@PBD@Z
+??1?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@QAE@XZ
+?_Tidy@?$basic_string@DU?$char_traits@D@std@@V?$allocator@D@2@@std@@AAEX_N@Z
MSVCRT.dll
+_mbslwr
+wcslen
+_vsnprintf
+strcat
+memcmp
+memmove
+isspace
+rand
+memcpy
+strtok
+fclose
+fread
+fopen
+fwrite
+strrchr
+strcmp
+ftell
+fseek
+_beginthreadex
+_purecall
+_ftol
+pow
+strtol
+__dllonexit
+_strlwr
+_onexit
+_except_handler3
+?terminate@@YAXXZ
+_initterm
+_adjust_fdiv
+??2@YAPAXI@Z
+__CxxFrameHandler
+srand
+free
+strlen
+strncpy
+calloc
ole32.dll
+CoCreateInstance
OLEAUT32.dll
SHELL32.dll
+ShellExecuteA
USER32.dll
+KillTimer

And below there are some extracted strings:

http://
class=”title”
text=
gping=
class=yschttl
class=l
n[keyword]
c.php?id=
http
\TSoft
Software
\lt.res
\sft.res
open
rundll32.exe
%s,RunMain
\sn.txt
popurl
DOWNLOAD
clickreferer
referer
$number
feed
KEYS
SECT
%d.exe
Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61} ====> here we can see that will install BHO
Systray component
SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
WebProxy
{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
EulaAccepted
Software\Sysinternals\Bluescreen Screen Saver
iexplore.exe
Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN
explorer.exe
F\bulksoft.ini
btimeout
mbinterval
binterval
mbcaption
bcaption
mburl
burl
mbtext
btext
PROM
lang
PSECT
Software\AntispyKnight
\sysin.scr
_WSCLAS_
InstallLanguage
SYSTEM\CurrentControlSet\Control\Nls\Language
Software\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}
Systray
Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe %s,RunMain
Hookd
YIHookWWW

We can see 2 .EXE:

iexplore.exe
explorer.exe

that probably are the .EXEs where the malware will inject the dll or other code.

We can see a reference to a registry key used to add keys to autostart a program:

Software\Microsoft\Windows\CurrentVersion\Run

We can see also a reference to a possible software that will be installed:

Software\AntispyKnight

and if we check also the detection name of:

NOD32 v3 Win32/Adware.AntiSpyKing application
VBA32 Trojan-Downloader.Win32.FraudLoad.vdjm

We can maybe imagine that will be installed a rogue software in our computer that is possibly named as AntispyKnight.

Ok, this analysis end here : )

Random Posts

Previous Posts