evilcry Posted June 8, 2008 Posted June 8, 2008 (edited) Hi, Rustock C is definitely the most powerful advanced rootkit for Windows ever seen, the Pure Evil Here some papers about it http://info.drweb.com/show/3342/en http://www.rootkit.com/newsread.php?newsid=879 http://blog.threatexpert.com/2008/05/rusto...ested-doll.html http://blog.threatexpert.com/2008/06/new-r...to-hotmail.html * Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult. * Implemented as a driver, it runs on the lowest kernel level. * Protects itself, prevents runtime changes. * Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won Edited June 8, 2008 by evilcry
aztecx Posted August 25, 2008 Posted August 25, 2008 (edited) thats amazing heh...i wonder how long it would take to code something like this & who would have this much knowledge?...What programming language do you think was used? Edited August 25, 2008 by aztecx
evilcry Posted August 31, 2008 Author Posted August 31, 2008 You need to have great knowledge of Windows Internals and high Driver Coding Skills What programming language do you think was used? eheh easy the only languages that can be used into a driver, C and Assembler Regards, Evilcry
steve10120 Posted August 31, 2008 Posted August 31, 2008 Nasty stuff Rustock, is actively being used by a Russian adware company, should be able to find their copy if anyone wants it to analyze.
GamingMasteR Posted August 31, 2008 Posted August 31, 2008 I'm developping a new kernel-mode stuff tool .. it would be appreciated if some1 send me a copy of the rk .
Armaked0n Posted August 31, 2008 Posted August 31, 2008 @GamingMasteR:you can download samples of this rootkit from http://www.offensivecomputing.net
F0X Posted September 4, 2008 Posted September 4, 2008 rustock D is even worse, it's coded in assembly btw
Willi000 Posted September 10, 2008 Posted September 10, 2008 Here is article from Kaspersky Lab:http://www.viruslist.com/en/analysis?pubid=204792011
evilcry Posted September 14, 2008 Author Posted September 14, 2008 Hi, If you're intersted in Rootkit Technology, search also for Srizbi Rk that is really efficient Regards, Evilcry
steve10120 Posted September 15, 2008 Posted September 15, 2008 Nice breakdown of it @ http://www.rootkit.com/newsread.php?newsid=879.
aztecx Posted September 16, 2008 Posted September 16, 2008 Nice breakdown of it @ http://www.rootkit.com/newsread.php?newsid=879.he already linked us to that in the first post.
steve10120 Posted October 27, 2008 Posted October 27, 2008 Sorry for the double post.I found this while analyzing some Russian adware, could be a new rustock variant.Sandbox:http://www.threatexpert.com/report.aspx?md...01324aae844a773Password: infectedDownload:http://rapidshare.com/files/158005746/infected1.rar.html - rename .ppp to .exe of course.Waiting for Kaspersky to mail me back with a detection notice.
evilcry Posted November 2, 2008 Author Posted November 2, 2008 Hello,Here an intersting paper on Rustock.Chttp://www.reconstructer.org/papers/Rustoc...omes%20true.pdf@steve10120: Thank you for the sample, I'll give it a look.Regards,Giuseppe 'Evilcry' Bonfa'
steve10120 Posted November 5, 2008 Posted November 5, 2008 No probs, although apparently that link has reached its 10 download limit, here a fresh one. http://sharebee.com/e3bfcd5d And a analysis of it @ http://novirusthanks.org/blog/?p=150. I have the packed/obfuscated driver if any of you fancies unpacking it.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now