Skip navigation.
Home

Further into rustock

|

So I was sitting in Hoglund and Butler's Advanced Rootkits class playing with instdrv and injecting processes via device drivers, when I had an idea.

I know where rustok puts its rootkit driver from the partial unpacked disassembly I was able to do, but I can't get at it because its in an ADS which is hidden by the rootkit itself. But here I am playing with instdrv which lets you load and unload drivers by path.

So I told it to unload pe386.sys and then I ran lads.exe to see if I could find the ADS now. Indeed it was there. From there it was a matter of doing cat.exe c:\windows\system32\:pe386.sys > c:\owned.sys to extract the driver! However this driver is protected somehow so on to the next step :)

Also Ero and Pedram gave me some awesome techniques for unpacking things a little better and based on that I was able to extract some VERY interesting infomration from rustock. There is an IP address:

208.66.194.14

Which belongs to OrgName: McColo Corporation
OrgID: MCCOL
Address: 125 E. Delaware Ave.
City: Newark
StateProv: DE
PostalCode: 19711
Country: US

And a http path:

/index.php?page=main

as well as several other things I am exploring. This is why I love Blackhat!

V.

are there any tools for

are there any tools for dumping device drivers (sys) from memory? I mean, this crypted pe386.sys, how can it be unpacked? I tried full memory dump and the loaded memory.dmp in WinDBG but lm (list modules) command didn't show any pe386.sys. I understood it hides something, but.. could it hide itself even on a memory dump?

yeh

Im having the same problems. havent come up with a solution yet, if anyone has ideas post them here please.

V.

I had an idea

Probably attaching a kernel debugger might help to see whats going on with that .sys file. Ill try it out when I get time.

V.

Perhaps

What rights did you attempt to dump the memory space with? And have you tried dumping it from a driver or service that run with much better access ?

Rustock?

Where can I get a copy of Rustock to play with?

Rustock is here

These are the three main files from a previous post provided by mythx.

ffxrodnd.exe 111d19b60ae921ac90c2b73c2afe18e0
bwpwnjpw.exe 28a56f3a53ca91e85185bb28541b43b7
ntohjrk.exe 0dace30934e7435a78140bc4bc19ed30

Hi , you might find my

Hi , you might find my report of the hijack methods used to deliver this rootkit interesting and included are the domains/files involved:

http://www.bluetack.co.uk/forums/index.php?showtopic=15097