Rustock

Aliases

• Costrat

Comments

The ubiquitous Rustock has been around in various forms for at least two years, probably longer.  It is a sophisticated and prolific spamming machine, a leader in terms of spam output. The individual spambots are among the fastest at sending spam that we have observed. Rustock uses a rootkit to hide itself on its host, and changes its spam templates often.  It focuses almost exclusively on male enlargement and other pharmaceutical drugs. Most variants of Rustock are not identified by antivirus programs as Rustock, but rather with generic names.

Features

• Reports to control server on port 80, using encrypted HTTP
• Performs DNS MX lookups to send spam
• Employs a Kernel-Mode rootkit
• Drops a component file in Alternate Data Streams to hide itself from the user.
• Process injection into legitimate process to execute its spamming module

Spamming Rate

• 25,000 messages per hour per bot

Command and Control

Rustock communicates with its control server on port 80, using encrypted HTTP.  Varying domains are used to establish contact with its control server.  From the samples that we have examined, Rustock tries the following domain names:

•  onlinescannow.com
•  protectionforless.com
•  guardandprotector.com
•  piecefordesktop.com
•  lekatariba.info
•  ekbad.me
•  mordva2009aa.info
•  belarus2014in.com
•  moscow1766bc.me
•  www4.binderyservice.mobi
•  www3.binderyservice.mobi
•  www3.binderyservice.mobi
•  www2.binderyservice.mobi
•  www1.binderyservice.mobi
•  liquidlove.cc
•  masterofliquid.info
•  masterofliquidonline.info
•  contiadverstising.name
•  fyppgj.cn
•  ufkqukbd2.cn
  

Rustock sends HTTP requests as below to its control server:

POST /login.php HTTP/1.0   
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */* Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: <random host>
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: <varying length>
Connection: Close
Pragma: no-cache

POST /data.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: <random host>
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: <varying length>
Connection: Close
Pragma: no-cache

POST /main.php HTTP/1.0
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
Accept-Language: en
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Host: <random host>
Content-Type: multipart/form-data
Content-Encoding: gzip
Content-Length: <varying length>
Connection: Close
Pragma: no-cache

Malware Behavior on Host

Rustock drops a rootkit based driver as Alternate Data Streams, to easily hide itself from the unsuspecting user.

• %SystemRoot%:lzx32.sys
• %SystemRoot%:18462.sys

It may also drop these drivers:

• %SystemRoot%\drivers\lzx32.sys
• %SystemRoot%\drivers\pe386.sys
• %SystemRoot%\drivers\42d44cfa.sys 

Note: newer variants can also drop an 8 random character .SYS file in  %SystemRoot%\drivers\ directory.

Registers itself as a service to launch itself in every Windows start-up:

• HKEY_Local_Machine\System\CurrentControlSet\Services\lzx32
• DisplayName = Win32 lzx files loader
• ImagePath = %SystemRoot%:lzx32.sys or %SystemRoot%\drivers\lzx32.sys

• HKEY_Local_Machine\System\CurrentControlSet\Services\pe386.sys
• DisplayName = Win32 PE files loader
• ImagePath = %SystemRoot%\drivers\PE386.sys or %SystemRoot%:18462.sys

Rustock behaviour:

More details and analysis of Rustock can be viewed in the TRACE blog here .