ALIASES:

Rustok

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware, Via email

RUSTOCK malware are mostly backdoors, Trojans, and rootkits that have been downloaded by other malware such as BREDOLAB and VIRUX. This arrival routine was observed in website compromises seen in 2009 and 2010. RUSTOCK also came as attachment to spammed email.

RUSTOCK acts as a proxy server on affected systems. It uses this routine to send spammed messages. The content of the spammed messages sent are mostly pharmacy/medical content.

In addition to its spam-sending capabilities, RUSTOCK has rootkit capablities. These rootkit capabilities enable it to hide the related files, processes, and registry information it created -- making RUSTOCK difficult to detect and remove.

RUSTOCK monitors the infected machine's connection to legitimate sites such as yahoo.com and microsoft.com. It does its monitoring for the purposes of search index hijacking or for preventing the user from accessing these legitimates sites.

The RUSTOCK spam botnet was taken down in early 2011. This effort sent spam volumes to a noticeable decline in 2011.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs

Installation

This worm drops the following files:

  • %System%\drivers\{random}.sys
  • %System%:lzx32.sys
  • %System%:18467

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ImagePath = "\??\C:\WINDOWS\system32:lzx32.sys" or "\SystemRoot\System32:18467"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386\Security
Security = "{Hex values}"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Type = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Start = "1"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ErrorControl = "0"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
DisplayName = "Win23 lzx files loader"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
Group = "Base"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386
ExtParam = "{Hex values}"

It modifies the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\pe386\Security

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{random}

Other Details

This worm connects to the following possibly malicious URL:

  • bl.{BLOCKED}p.net
  • bl1.{BLOCKED}ion.net.il
  • cbl.{BLOCKED}t.org
  • dul.dn{BLOCKED}bs.net
  • ftp.icq.com/p{BLOCKED}4/ICQ_5/icq5_setup.exe
  • http://{BLOCKED}.{BLOCKED}.194.158/index.php?page=main
  • http://{BLOCKED}.{BLOCKED}.194.22/index.php?page=main
  • http://{BLOCKED}r-traiding.com/login.php
  • http://{BLOCKED}r-traiding.net/login.php
  • http://{BLOCKED}stribution.net/login.php
  • http://{BLOCKED}n.cn/login.php
  • http://{BLOCKED}HJe.de/login.php
  • http://{BLOCKED}avto.biz/login.php
  • http://{BLOCKED}avto.org/login.php
  • http://{BLOCKED}olver.cc/login.php
  • http://{BLOCKED}efhw2J.biz/login.php
  • http://{BLOCKED}aldns.org/login.php
  • http://{BLOCKED}x.cc/login.php
  • http://{BLOCKED}st.name/login.php
  • http://{BLOCKED}atrading.net/login.php
  • http://{BLOCKED}ynewsagency.cn/login.php
  • http://{BLOCKED}ynewsagency.com/login.php
  • http://{BLOCKED}ent.biz/login.php
  • http://{BLOCKED}ent.mobi/login.php
  • http://{BLOCKED}computers.be/login.php
  • http://{BLOCKED}computers.com/login.php
  • http://{BLOCKED}b-system.info/login.php
  • http://{BLOCKED}b-system.name/login.php
  • http://{BLOCKED}k.in/login.php
  • http://{BLOCKED}ent-a-car.biz/login.php
  • http://{BLOCKED}ent-a-car.info/login.php
  • http://{BLOCKED}n.in/login.php
  • http://{BLOCKED}n.tv/login.php
  • http://{BLOCKED}ecompany.cn/login.php
  • http://{BLOCKED}ecompany.info/login.php
  • http://{BLOCKED}iedinvestors.com/login.php
  • http://{BLOCKED}wgeneration.ws/login.php
  • http://{BLOCKED}eper.cc/login.php
  • http://{BLOCKED}e.info/login.php
  • http://{BLOCKED}tserver.biz/login.php
  • http://{BLOCKED}tserver.name/login.php
  • list.{BLOCKED}l.org
  • r{BLOCKED}-abuse.org
  • sbl-xbl.{BLOCKED}s.org