Malicious Code Alert

Trojan: W32/Rustock

 
Threat Type:IntelliShield: Malicious Code Alert
IntelliShield ID:18294
Version:1
First Published:2009 June 05 19:41 GMT
Last Published:2009 June 05 19:41 GMT
Port: Not available
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Mild Damage
 
Version Summary:

W32/Rustock?is rootkit enabled trojan that?is primarily used for sending spam e-mails from infected systems.? Virus definitions are available.

 
Aliases/Variants

Variants are unavailable.

Virus Name:

Win32/Rustock

 

Description
 

W32/Rustock is a backdoor trojan that belongs to a family of rootkit-enabled trojans that were primarily developed to use infected systems as covert proxies to send spam e-mails.

W32/Rustock consists of three components.? The first component is a dropper, the second is a driver installer and the third is the actual rootkit driver.? All of the components are encrypted and the driver component is compressed with aPLib. The dropper component creates the rootkit installer to appear as a legitimate service.? The rootkit installer decrypts and decompresses the actual rootkit driver code, injects the code into itself, and transfers the execution to the rootkit driver code.? The rootkit driver then hooks the system functions, ntoskrnl.exe and ntdll.exe. The trojan uses multiple encryption and decryption techniques along with polymorphic behavior to avoid detection.?

Virus definitions are available.


Impact
 

W32/Rustock is a trojan that installs a rootkit on the infected system that allows an unauthenticated remote attacker to execute commands.? The infected systems are generally used for sending spam e-mails.


Warning Indicators
 

W32/Rustock creates the following files on an infected system:

glaide32.sys
lzx32.sys


Technical Information
 

When the dropper component of Win32/Rustock is executed, it examines global events to determine if the rootkit is already running.

The dropper creates the rootkit driver installer and its updates.  The installer component is decrypted and installed as a system driver.  The dropper component may attempt to create the driver installer component as a legitimate and rarely used system driver such as beep or null.  If the driver installer component cannot successfully use beep or null, it may randomly generate a name or use one of the following names:

glaide32.sys
lzx32.sys
7005d59.sys

During the infection routine a registry entry is made to indicate the presence of rootkit driver installer.  A rootkit driver that uses the name 7005d59.sys, creates the following registry entry on infected systems:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\7005d59
ImagePath = \SystemRoot\System32\drivers\7005d59.sys
Type = 1
Start = 1
ErrorControl = 1

The driver installer decrypts and then decompresses the rootkit driver code, injects the copy of the driver into itself and transfers the execution to the code of the rootkit driver.  The rootkit driver uses a hook to interface with system functions to increase detection complexity.  The driver updates System Service Dispatch Table (SSDT), which allows the driver to filter requests containing the driver name and help avoid detection by antivirus engines.


IntelliShield Analysis
 

W32/Rustock uses various obfuscation techniques to avoid detection by virus scanners or host-based intrusion prevention systems, making removal difficult.? Once infected, the trojan may disguises itself as a legitimate service.? An unauthenticated, remote attacker could use infected systems as a covert proxy to send spam e-mails or other such malicious activities.

Rule-based and application-based firewalls are likely to prevent or limit the impact of this trojan.? Rule-based firewalls are typically set up by an administrator for an entire network.? These firewalls are often set up to block all traffic entering and exiting a network except traffic traveling through ports needed for production.? Application-based firewalls are often found on client systems and can be configured to allow certain services and process to access the Internet or local network.? These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network.? Both types of firewalls may prevent malicious code from downloading updates or additional files.? The firewalls may also prevent the malicious code from contacting an attacker or website and from accessing local network resources.

Most host intrusion detection/prevention system software, such as Cisco Security Agent, can be configured to warn users when suspicious activity occurs on their systems.? This software can be configured to prevent this trojan from attempting to execute their infection routines.? Host intrusion detection/prevention system software may also be configured to prompt a user when suspicious activity occurs.? Often users can choose whether to allow or deny the activity in question.? These factors will limit the infection rate and impact on most systems.

Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network.? User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.


Safeguards
 

Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.

Block all file attachments except those specifically required for business purposes.

Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.

Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.

Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.

Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations only.

Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.

Provide initial and continuing education to all levels of users throughout the organization.

Users are advised not to open e-mail messages from untrusted sources. Users are advised to verify the authenticity of unexpected files from trusted sources.

Users are advised to use caution when downloading and installing software.


Patches/Software
 

The Microsoft Virus Analysis for W32/Rustock is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center.


Signatures
 
Cisco Intrusion Prevention System (IPS) 6.0
Signature IDSignature NameReleaseLatest Release Date
17363/0Rustock BotnetS4662010 Feb 04 
17363/1Rustock BotnetS5312010 Nov 17 
17363/2Rustock BotnetS5312010 Nov 17 
17363/3Rustock BotnetS7562013 Nov 27 
 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldMalicious Code Alert Original Release Base

Associated Products:
Microsoft, Inc.Windows 2000 Advanced Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Microsoft, Inc.Windows Server 2003 Datacenter Edition Base, SP1, SP2 | Datacenter Edition, 64-bit (Itanium) Base, SP1, SP2 | Datacenter Edition x64 (AMD/EM64T) Base, SP1, SP2 | Enterprise Edition Base, SP1, SP2 | Enterprise Edition, 64-bit (Itanium) Base, SP1, SP2 | Enterprise Edition x64 (AMD/EM64T) Base, SP1, SP2 | Standard Edition Base, SP1, SP2 | Standard Edition, 64-bit (Itanium) Base, SP1, SP2 | Standard Edition x64 (AMD/EM64T) Base, SP1, SP2 | Web Edition Base, SP1, SP2
Microsoft, Inc.Windows XP Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional Edition, 64-bit (Itanium) Base, 2003 (itanium 2), SP1, SP2 | Professional x64 (AMD/EM64T) Base, SP1, SP2




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield