Jump to content
Tuts 4 You

Rustock C The Beast


Recommended Posts


Rustock C is definitely the most powerful advanced rootkit for Windows ever seen, the Pure Evil :)

Here some papers about it





* Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.

* Implemented as a driver, it runs on the lowest kernel level.

* Protects itself, prevents runtime changes.

* Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won

Edited by evilcry
Link to comment
Share on other sites

  • 2 months later...

thats amazing heh...

i wonder how long it would take to code something like this & who would have this much knowledge?...

What programming language do you think was used?

Edited by aztecx
Link to comment
Share on other sites

You need to have great knowledge of Windows Internals and high Driver Coding Skills

What programming language do you think was used?

eheh easy the only languages that can be used into a driver, C and Assembler :)



Link to comment
Share on other sites

Nasty stuff Rustock, is actively being used by a Russian adware company, should be able to find their copy if anyone wants it to analyze. ;)

Link to comment
Share on other sites

  • 1 month later...

Sorry for the double post.

I found this while analyzing some Russian adware, could be a new rustock variant.



Password: infected


http://rapidshare.com/files/158005746/infected1.rar.html - rename .ppp to .exe of course.

Waiting for Kaspersky to mail me back with a detection notice.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...