Skip navigation.
Home

Preliminary Rustock Analysis

| |

Rustock is pretty interesting and challenging. I had to hide from IsDebuggerPresent() to get anything out of it. Below you can see where it is generating the file name for the .sys driver which holds the rootkit capabilities.

.text:00410530 push offset aWin23PeFilesLo ; "Win23 PE files loader"
.text:00410535 push offset aPe386 ; "pe386"
.text:0041053A push edi
.text:0041053B call ds:dword_40FA80
.text:00410541 nop

This looks interesting here :

.text:004105A9 push offset aCmd_exeCDel ; "cmd.exe /c \"del \""
.text:004105AE push edi
.text:004105AF call ds:lstrcatA

right after
.text:0041057D call ds:GetModuleFileNameA
.text:00410583 ffree st(1)
.text:00410585 lea eax, [eax]
.text:00410587 jecxz short $+2
.text:00410589 mov eax, eax
.text:0041058B lea ebp, [ebp+0]
.text:0041058E lea edi, [ebp-200h]
.text:00410594 jg short $+2
.text:00410596 wait

Self deleting ? Also:

.text:004102FC push offset aOpenscmanagera ; "OpenSCManagerA
and
.text:00410328 push offset aCreateservicea ; "CreateServiceA"
and
.text:00410342 push offset aStartservicea ; "StartServiceA"

07a146374a4bfc1594d1a2009cdb044f search for this md5sum to get a slightly mangled version which is somewhat unpacked.

Symantec and F-Secure have some write ups.
http://www.symantec.com/enterprise/security_response/weblog/2006/06/raising_the_bar_rustocka_advan.html
http://www.f-secure.com/weblog/archives/archive-062006.html#00000907

I really need to get this totally unpacked.

18197 11:24:06 AM malware.exe:2384 WRITE C:\DOCUME~1\root\LOCALS~1\Temp\pe386.sys SUCCESS Offset: 0 Length: 59460

So it writes out the pe386.sys file to temp.

18201 11:24:06 AM malware.exe:2384 SET INFORMATION C:\WINDOWS\system32\config\software.LOG SUCCESS Length: 8192

then it accesses a command line:

51731 11:25:17 AM malware.exe:2384 OPEN C:\WINDOWS\system32\cmd.exe SUCCESS Options: Open Access: Execute

WinExec(cmd.exe /c "del "c:\documents and settings\root\Desktop\malware.exe,0)

Thats what that cmd del business was doing.

STRINGS

I added more strings. This thing REALLY doesnt wanna be unpacked. If anyone does succesfully unpack it please let me know how / give me a copy :)

0000004D 0040004D 0 !This program cannot be run in DOS mode.
00000178 00400178 0 .text
000001A0 004001A0 0 .newIID
00001028 00401028 0 kernel32.dll
000010CF 004010CF 0 GetFileSize
000010DD 004010DD 0 GetModuleFileNameA
000010F2 004010F2 0 GetProcAddress
00001103 00401103 0 GetSystemDirectoryA
00001119 00401119 0 GetTempPathA
00001128 00401128 0 GetVersion
00001135 00401135 0 LoadLibraryA
00001144 00401144 0 OpenEventA
00001151 00401151 0 VirtualAlloc
00001160 00401160 0 VirtualFree
0000116E 0040116E 0 WinExec
00001178 00401178 0 _lclose
00001182 00401182 0 _lcreat
0000118C 0040118C 0 _lopen
00001195 00401195 0 _lread
0000119E 0040119E 0 _lwrite
000011A8 004011A8 0 lstrcatA
000011B3 004011B3 0 lstrcmpiA
000011BD 004011BD 0 pe386.sys
000011C7 004011C7 0 cmd.exe /c "del "
00001229 00401229 0 !This program cannot be run in DOS mode.
00001354 00401354 0 .text
00005D5C 00405D5C 0 ntoskrnl.exe
00005D6B 00405D6B 0 MmGetSystemRoutineAddress
00005D87 00405D87 0 KeInsertQueueDpc
00005D9A 00405D9A 0 KeInitializeDpc
00005DAC 00405DAC 0 KePulseEvent
00005DBB 00405DBB 0 KeInitializeQueue
00005DCF 00405DCF 0 ExAllocatePool
00005DE0 00405DE0 0 NtOpenProcess
00005DF0 00405DF0 0 IoAllocateIrp
00005E00 00405E00 0 IoAllocateMdl
00005E10 00405E10 0 KeInsertQueueApc
00005E23 00405E23 0 IoFreeMdl
00005E2F 00405E2F 0 KeInitializeMutex
00005E43 00405E43 0 ZwClose
0000FC00 0040FC00 0 pe386
0000FC06 0040FC06 0 Win23 PE files loader
0000FC21 0040FC21 0 CreateServiceA
0000FC30 0040FC30 0 \advapi32.dll
0000FC3E 0040FC3E 0 OpenSCManagerA
0000FC51 0040FC51 0 CreateServiceA
0000FC64 0040FC64 0 StartServiceA
0001062D 0041062D 0 h{DC5
00010A28 00411028 0 kernel32.dll
00010A37 00411037 0 GetFileSize
00010A45 00411045 0 GetModuleFileNameA
00010A5A 0041105A 0 GetProcAddress
00010A6B 0041106B 0 GetSystemDirectoryA
00010A81 00411081 0 GetTempPathA
00010A90 00411090 0 GetVersion
00010A9D 0041109D 0 LoadLibraryA
00010AAC 004110AC 0 OpenEventA
00010AB9 004110B9 0 VirtualAlloc
00010AC8 004110C8 0 VirtualFree
00010AD6 004110D6 0 WinExec
00010AE0 004110E0 0 _lclose
00010AEA 004110EA 0 _lcreat
00010AF4 004110F4 0 _lopen
00010AFD 004110FD 0 _hread
00010B06 00411106 0 _hwrite
00010B10 00411110 0 lstrcat
00010B1A 0041111A 0 lstrcmpi

V.