TROJ_RUSTOCK
Rustok
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
RUSTOCK malware are mostly backdoors, Trojans, and rootkits that have been downloaded by other malware such as BREDOLAB and VIRUX. This arrival routine was observed in website compromises seen in 2009 and 2010. RUSTOCK also came as attachment to spammed email.
RUSTOCK acts as a proxy server on affected systems. It uses this routine to send spammed messages. The content of the spammed messages sent are mostly pharmacy/medical content.
In addition to its spam-sending capabilities, RUSTOCK has rootkit capablities. These rootkit capabilities enable it to hide the related files, processes, and registry information it created -- making RUSTOCK difficult to detect and remove.
RUSTOCK monitors the infected machine's connection to legitimate sites such as yahoo.com and microsoft.com. It does its monitoring for the purposes of search index hijacking or for preventing the user from accessing these legitimates sites.
The RUSTOCK spam botnet was taken down in early 2011. This effort sent spam volumes to a noticeable decline in 2011.
TECHNICAL DETAILS
Installation
This Trojan drops the following files:
- %System%\drivers\{random}.sys
- %System%:lzx32.sys
- %System%:18467
(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)
Other System Modifications
This Trojan adds the following registry entries as part of its installation routine:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ImagePath = "\??\C:\WINDOWS\system32:lzx32.sys" or "\SystemRoot\System32:18467"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386\Security
Security = "{Hex values}"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Type = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Start = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ErrorControl = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
DisplayName = "Win23 lzx files loader"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Group = "Base"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ExtParam = "{Hex values}"
It modifies the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386\Security
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}
Other Details
This Trojan connects to the following possibly malicious URL:
- bl.{BLOCKED}p.net
- bl1.{BLOCKED}ion.net.il
- cbl.{BLOCKED}t.org
- dul.dn{BLOCKED}bs.net
- ftp.icq.com/p{BLOCKED}4/ICQ_5/icq5_setup.exe
- http://{BLOCKED}.{BLOCKED}.194.158/index.php?page=main
- http://{BLOCKED}.{BLOCKED}.194.22/index.php?page=main
- http://{BLOCKED}r-traiding.com/login.php
- http://{BLOCKED}r-traiding.net/login.php
- http://{BLOCKED}stribution.net/login.php
- http://{BLOCKED}n.cn/login.php
- http://{BLOCKED}HJe.de/login.php
- http://{BLOCKED}avto.biz/login.php
- http://{BLOCKED}avto.org/login.php
- http://{BLOCKED}olver.cc/login.php
- http://{BLOCKED}efhw2J.biz/login.php
- http://{BLOCKED}aldns.org/login.php
- http://{BLOCKED}x.cc/login.php
- http://{BLOCKED}st.name/login.php
- http://{BLOCKED}atrading.net/login.php
- http://{BLOCKED}ynewsagency.cn/login.php
- http://{BLOCKED}ynewsagency.com/login.php
- http://{BLOCKED}ent.biz/login.php
- http://{BLOCKED}ent.mobi/login.php
- http://{BLOCKED}computers.be/login.php
- http://{BLOCKED}computers.com/login.php
- http://{BLOCKED}b-system.info/login.php
- http://{BLOCKED}b-system.name/login.php
- http://{BLOCKED}k.in/login.php
- http://{BLOCKED}ent-a-car.biz/login.php
- http://{BLOCKED}ent-a-car.info/login.php
- http://{BLOCKED}n.in/login.php
- http://{BLOCKED}n.tv/login.php
- http://{BLOCKED}ecompany.cn/login.php
- http://{BLOCKED}ecompany.info/login.php
- http://{BLOCKED}iedinvestors.com/login.php
- http://{BLOCKED}wgeneration.ws/login.php
- http://{BLOCKED}eper.cc/login.php
- http://{BLOCKED}e.info/login.php
- http://{BLOCKED}tserver.biz/login.php
- http://{BLOCKED}tserver.name/login.php
- list.{BLOCKED}l.org
- r{BLOCKED}-abuse.org
- sbl-xbl.{BLOCKED}s.org
NOTES:
RUSTOCK monitors the infected machine's connection to legitimate sites such as yahoo.com and microsoft.com. It does its monitoring for the purposes of search index hijacking or for preventing the user from accessing these legitimates sites.