evilcry Posted June 8, 2008 Share Posted June 8, 2008 (edited) Hi, Rustock C is definitely the most powerful advanced rootkit for Windows ever seen, the Pure Evil Here some papers about it http://info.drweb.com/show/3342/en http://www.rootkit.com/newsread.php?newsid=879 http://blog.threatexpert.com/2008/05/rusto...ested-doll.html http://blog.threatexpert.com/2008/06/new-r...to-hotmail.html * Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult. * Implemented as a driver, it runs on the lowest kernel level. * Protects itself, prevents runtime changes. * Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won Edited June 8, 2008 by evilcry Link to comment Share on other sites More sharing options...
Shub-Nigurrath Posted June 8, 2008 Share Posted June 8, 2008 nice infos mate, will come handly.. Link to comment Share on other sites More sharing options...
aztecx Posted August 25, 2008 Share Posted August 25, 2008 (edited) thats amazing heh...i wonder how long it would take to code something like this & who would have this much knowledge?...What programming language do you think was used? Edited August 25, 2008 by aztecx Link to comment Share on other sites More sharing options...
evilcry Posted August 31, 2008 Author Share Posted August 31, 2008 You need to have great knowledge of Windows Internals and high Driver Coding Skills What programming language do you think was used? eheh easy the only languages that can be used into a driver, C and Assembler Regards, Evilcry Link to comment Share on other sites More sharing options...
steve10120 Posted August 31, 2008 Share Posted August 31, 2008 Nasty stuff Rustock, is actively being used by a Russian adware company, should be able to find their copy if anyone wants it to analyze. Link to comment Share on other sites More sharing options...
GamingMasteR Posted August 31, 2008 Share Posted August 31, 2008 I'm developping a new kernel-mode stuff tool .. it would be appreciated if some1 send me a copy of the rk . Link to comment Share on other sites More sharing options...
Armaked0n Posted August 31, 2008 Share Posted August 31, 2008 @GamingMasteR:you can download samples of this rootkit from http://www.offensivecomputing.net Link to comment Share on other sites More sharing options...
GamingMasteR Posted August 31, 2008 Share Posted August 31, 2008 Thanks very much Armaked0n Link to comment Share on other sites More sharing options...
F0X Posted September 4, 2008 Share Posted September 4, 2008 rustock D is even worse, it's coded in assembly btw Link to comment Share on other sites More sharing options...
Willi000 Posted September 10, 2008 Share Posted September 10, 2008 Here is article from Kaspersky Lab:http://www.viruslist.com/en/analysis?pubid=204792011 Link to comment Share on other sites More sharing options...
evilcry Posted September 14, 2008 Author Share Posted September 14, 2008 Hi, If you're intersted in Rootkit Technology, search also for Srizbi Rk that is really efficient Regards, Evilcry Link to comment Share on other sites More sharing options...
steve10120 Posted September 15, 2008 Share Posted September 15, 2008 Nice breakdown of it @ http://www.rootkit.com/newsread.php?newsid=879. Link to comment Share on other sites More sharing options...
aztecx Posted September 16, 2008 Share Posted September 16, 2008 Nice breakdown of it @ http://www.rootkit.com/newsread.php?newsid=879.he already linked us to that in the first post. Link to comment Share on other sites More sharing options...
steve10120 Posted September 16, 2008 Share Posted September 16, 2008 Sorry didn't see it. Link to comment Share on other sites More sharing options...
steve10120 Posted October 27, 2008 Share Posted October 27, 2008 Sorry for the double post.I found this while analyzing some Russian adware, could be a new rustock variant.Sandbox:http://www.threatexpert.com/report.aspx?md...01324aae844a773Password: infectedDownload:http://rapidshare.com/files/158005746/infected1.rar.html - rename .ppp to .exe of course.Waiting for Kaspersky to mail me back with a detection notice. Link to comment Share on other sites More sharing options...
evilcry Posted November 2, 2008 Author Share Posted November 2, 2008 Hello,Here an intersting paper on Rustock.Chttp://www.reconstructer.org/papers/Rustoc...omes%20true.pdf@steve10120: Thank you for the sample, I'll give it a look.Regards,Giuseppe 'Evilcry' Bonfa' Link to comment Share on other sites More sharing options...
steve10120 Posted November 5, 2008 Share Posted November 5, 2008 No probs, although apparently that link has reached its 10 download limit, here a fresh one. http://sharebee.com/e3bfcd5d And a analysis of it @ http://novirusthanks.org/blog/?p=150. I have the packed/obfuscated driver if any of you fancies unpacking it. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now