 |
 |
 |
 |
 |
 |
|
| |
|
|
| |
| Abstract |
| |
|
Paper
Title
|
What Makes the Rustocks Tick!
|
|
Author(s)
|
Chandra Prakash (USA), Lead Advanced Malware Research, Sunbelt
Software.
|
|
Time
|
11 December, Thursday, 15:30 - 16:10 .
|
|
|
|
|
| The
Rustock family of rootkits is undoubtedly the most notorious
collection spambot rootkits. Rustock A, B and now Rustock.C have
invaded the Web chronologically in that order. Each newer
variant has evolved with increasing degree of sophistication and
complexity. This paper first presents a comparative analysis of
the evolution of sly techniques used by these Rustock variants.
The comparison includes their mode of infection, explanation of
kernel code disassembly for their stealth mechanism, underlying
operation and techniques for detection and remediation. Then it
delves into a very detailed reverse engineered analysis of the
latest Rustock.C variant. The analysis encompasses different
phases of its kernel and user mode activity. Specifically, this
paper includes explanation of Rustock.C DriverEntry startup code
for its multi-layered unpacking routine, well tuned loader,
techniques for obfuscation of loaded image, hook initialization
routines and several more aspects. In regard to the steady state
operation the paper describes its driver dispatch routines and
activities of its worker thread that manifest its underlying
operation. In addition, the paper also presents some of its new
techniques for registry hiding, file system hiding,
anti-debugging tricks and revival strategy that all work
collaboratively to make it a highly effective spambot rootkit. |
| |
|
| |
|
