Discovered june 1st, 2006 by Symantec, Rustock.A has raised a lot of eyebrows.
Backdoor.Rustock.A is a backdoor-trojan, wich opens a false proxy on a randomly chosen TCP-port on the infected computer.
This ofcourse is not the reason for the eyebrow-raises, but the rootkit-techniques, that are used, are.

• Upon execution, Rustock.A creates the file pe386.sys in the Temp-folder.
• Then, it creates a ADS by linking a file with a random number to the System32.
• It then created the following hidden driver:

        Display-name: pe386
        Image-path: %System32%:[Random Number] (this is the ADS it created)
        Registry-Subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

• 
  
It then uses advanced rootkit-techniques to hide the registry-subkeys and to alter the functions of the API's:         ZwOpenKey, ZwEnumerateKey, ZwQueryKey and ZwCreateKey
• And finally, it opens the covert proxy on a random TCP-port.

What makes Rustock.A so different, is how it attempts to avoid detection by Rootkit-detectors like RootkitRevealer and BlackLight.
These detectors use techniques like high-level and low-level comparation (where the high-level is Windows-level and low-level is process-level) to find contradictions.
Some of the rootkit-techniques, used by Rustock.A are:

• It has no process. All code is running either from within a driver or runs as a kernel-threat.
• Uses ADS- and rootkit-techniques to make it's file virtually impossible to locate.
• It does not use API-hooks, but uses Kernel Object Hooking (explanation by Greg Hoglund (rootkit.com)), that way avoiding detection by analyzing native API as well as integrity-checks of kernel-structures.
• It avoids detection of the hidden pe386.sys-driver by removing it's entries from kernel-structures like Services Control Manager, Object manager, and the loaded module list
• pe386.sys is completely polymorphic.
• pe386.sys is capable of scanning for certain strings in loaded files, used by Rootkit-detectors. When one of these strings is found, it changes it's own behaviour to avoid detection.

Most of these functions are used by other modern Windows-rootkits ... but not all of them in one rootkit.
Together with the new KOH-techniques, Rustock could well be the start of a new chapter in the Rootkit-History.



jahewi, june 6, 2006

sources:
- Description of Backdoor.Rustock.A by Symantec
        http://www.symantec.com/avcenter/venc/data/backdoor.rustock.a.html#technicaldetails
- "Raising the Bar: Rustock.A and Advances in Rootkits" by Elia Florio
        http://www.symantec.com/enterprise/security_response/weblog/2006/06/raising_the_bar_rustocka_advan.html
- Kernel Object Hooking Rootkits (KOH Rootkits) by Greg Hoglund
        http://www.rootkit.com/newsread.php?newsid=501