Skip navigation.
Home
Offensive Computing
Home » forums » Technical Discussions » Analysis and Samples

Further into rustock

Submitted by valsmith on Mon, 2006-07-31 17:06. |

So I was sitting in Hoglund and Butler's Advanced Rootkits class playing with instdrv and injecting processes via device drivers, when I had an idea.

I know where rustok puts its rootkit driver from the partial unpacked disassembly I was able to do, but I can't get at it because its in an ADS which is hidden by the rootkit itself. But here I am playing with instdrv which lets you load and unload drivers by path.

So I told it to unload pe386.sys and then I ran lads.exe to see if I could find the ADS now. Indeed it was there. From there it was a matter of doing cat.exe c:\windows\system32\:pe386.sys > c:\owned.sys to extract the driver! However this driver is protected somehow so on to the next step :)

Also Ero and Pedram gave me some awesome techniques for unpacking things a little better and based on that I was able to extract some VERY interesting infomration from rustock. There is an IP address:

208.66.194.14

Which belongs to OrgName: McColo Corporation
OrgID: MCCOL
Address: 125 E. Delaware Ave.
City: Newark
StateProv: DE
PostalCode: 19711
Country: US

And a http path:

/index.php?page=main

as well as several other things I am exploring. This is why I love Blackhat!

V.

‹ Second File Related to MS06-040 Dialer/Trojan/Proxy combo ›
» login or register to post comments

are there any tools for

Submitted by kyron on Thu, 2006-08-03 14:21.

are there any tools for dumping device drivers (sys) from memory? I mean, this crypted pe386.sys, how can it be unpacked? I tried full memory dump and the loaded memory.dmp in WinDBG but lm (list modules) command didn't show any pe386.sys. I understood it hides something, but.. could it hide itself even on a memory dump?

» login or register to post comments

yeh

Submitted by valsmith on Sun, 2006-08-06 09:47.

Im having the same problems. havent come up with a solution yet, if anyone has ideas post them here please.

V.

» login or register to post comments

I had an idea

Submitted by valsmith on Mon, 2006-08-07 05:46.

Probably attaching a kernel debugger might help to see whats going on with that .sys file. Ill try it out when I get time.

V.

» login or register to post comments

Perhaps

Submitted by Ichinin on Thu, 2006-08-17 08:54.

What rights did you attempt to dump the memory space with? And have you tried dumping it from a driver or service that run with much better access ?

» login or register to post comments

Rustock?

Submitted by studlee2 on Tue, 2006-08-08 10:15.

Where can I get a copy of Rustock to play with?

» login or register to post comments

Rustock is here

Submitted by dannyquist on Tue, 2006-08-08 10:36.

These are the three main files from a previous post provided by mythx.

ffxrodnd.exe 111d19b60ae921ac90c2b73c2afe18e0
bwpwnjpw.exe 28a56f3a53ca91e85185bb28541b43b7
ntohjrk.exe 0dace30934e7435a78140bc4bc19ed30

» login or register to post comments

Hi , you might find my

Submitted by Moore on Wed, 2006-08-16 12:54.

Hi , you might find my report of the hijack methods used to deliver this rootkit interesting and included are the domains/files involved:

http://www.bluetack.co.uk/forums/index.php?showtopic=15097

» login or register to post comments