W32/Rustock is rootkit enabled trojan that is primarily used for sending spam e-mails from infected systems. Virus definitions are available.
Aliases/Variants
Variants are unavailable.
Virus Name:
Win32/Rustock
Description
W32/Rustock is a backdoor trojan that belongs to a family of rootkit-enabled trojans that were primarily developed to use infected systems as covert proxies to send spam e-mails.
W32/Rustock consists of three components. The first component is a dropper, the second is a driver installer and the third is the actual rootkit driver. All of the components are encrypted and the driver component is compressed with aPLib. The dropper component creates the rootkit installer to appear as a legitimate service. The rootkit installer decrypts and decompresses the actual rootkit driver code, injects the code into itself, and transfers the execution to the rootkit driver code. The rootkit driver then hooks the system functions, ntoskrnl.exe and ntdll.exe. The trojan uses multiple encryption and decryption techniques along with polymorphic behavior to avoid detection.
Virus definitions are available.
Impact
W32/Rustock is a trojan that installs a rootkit on the infected system that allows an unauthenticated remote attacker to execute commands. The infected systems are generally used for sending spam e-mails.
Warning Indicators
W32/Rustock creates the following files on an infected system:
glaide32.sys lzx32.sys
Technical Information
When the dropper component of Win32/Rustock is executed, it examines global events to determine if the rootkit is already running.
The dropper creates the rootkit driver installer and its updates. The installer component is decrypted and installed as a system driver. The dropper component may attempt to create the driver installer component as a legitimate and rarely used system driver such as beep or null. If the driver installer component cannot successfully use beep or null, it may randomly generate a name or use one of the following names:
glaide32.sys lzx32.sys 7005d59.sys
During the infection routine a registry entry is made to indicate the presence of rootkit driver installer. A rootkit driver that uses the name 7005d59.sys, creates the following registry entry on infected systems:
The driver installer decrypts and then decompresses the rootkit driver code, injects the copy of the driver into itself and transfers the execution to the code of the rootkit driver. The rootkit driver uses a hook to interface with system functions to increase detection complexity. The driver updates System Service Dispatch Table (SSDT), which allows the driver to filter requests containing the driver name and help avoid detection by antivirus engines.
IntelliShield Analysis
W32/Rustock uses various obfuscation techniques to avoid detection by virus scanners or host-based intrusion prevention systems, making removal difficult. Once infected, the trojan may disguises itself as a legitimate service. An unauthenticated, remote attacker could use infected systems as a covert proxy to send spam e-mails or other such malicious activities.
Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.
Most host intrusion detection/prevention system software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this trojan from attempting to execute their infection routines. Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
Safeguards
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations only.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Users are advised not to open e-mail messages from untrusted sources. Users are advised to verify the authenticity of unexpected files from trusted sources.
Users are advised to use caution when downloading and installing software.
Patches/Software
The Microsoft Virus Analysis for W32/Rustock is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center.
Signatures
Cisco Systems Cisco Intrusion Prevention System (IPS) 6.0
Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional Edition, 64-bit (Itanium) 2003 (itanium 2), Base, SP1, SP2 | Professional x64 (AMD/EM64T) Base, SP1, SP2
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment. Cisco is pleased to offer a free trial of the service.
To register for full access, please visit the IntelliShield trial registration page.
LEGAL DISCLAIMER The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
