Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Rustock C The Beast

evilcry
evilcry
in Malware Reverse Engineering

Featured Replies

Posted

Hi,

Rustock C is definitely the most powerful advanced rootkit for Windows ever seen, the Pure Evil :)

Here some papers about it

http://info.drweb.com/show/3342/en

http://www.rootkit.com/newsread.php?newsid=879

http://blog.threatexpert.com/2008/05/rusto...ested-doll.html

http://blog.threatexpert.com/2008/06/new-r...to-hotmail.html

* Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.

* Implemented as a driver, it runs on the lowest kernel level.

* Protects itself, prevents runtime changes.

* Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won

Edited by evilcry

nice infos mate, will come handly..

  • 2 months later...

thats amazing heh...

i wonder how long it would take to code something like this & who would have this much knowledge?...

What programming language do you think was used?

Edited by aztecx

  • Author

You need to have great knowledge of Windows Internals and high Driver Coding Skills

What programming language do you think was used?

eheh easy the only languages that can be used into a driver, C and Assembler :)

Regards,

Evilcry

Nasty stuff Rustock, is actively being used by a Russian adware company, should be able to find their copy if anyone wants it to analyze. ;)

I'm developping a new kernel-mode stuff tool .. it would be appreciated if some1 send me a copy of the rk .

Thanks very much Armaked0n :thanks:

rustock D is even worse, it's coded in assembly btw

  • Author

Hi,

If you're intersted in Rootkit Technology, search also for Srizbi Rk that is really efficient ;)

Regards,

Evilcry

Sorry didn't see it. suicideur0.gif

  • 1 month later...

No probs, although apparently that link has reached its 10 download limit, here a fresh one.

http://sharebee.com/e3bfcd5d

And a analysis of it @ http://novirusthanks.org/blog/?p=150.

I have the packed/obfuscated driver if any of you fancies unpacking it. ;)

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.