Chandra will be discussing the Rustock rootkit at AVAR 2008. The subject will be interesting:
What makes the Rustocks tick!
The Rustock family of rootkits is undoubtedly the most notorious collection spambot rootkits. Rustock A, B and now Rustock.C have invaded the Web chronologically in that order. Each newer variant has evolved with increasing degree of sophistication and complexity. This paper first presents a comparative analysis of the evolution of sly techniques used by these Rustock variants. The comparison includes their mode of infection, explanation of kernel code disassembly for their stealth mechanism, underlying operation and techniques for detection and remediation. Then it delves into a very detailed reverse engineered analysis of the latest Rustock.C variant. The analysis encompasses different phases of its kernel and user mode activity. Specifically, this paper includes explanation of Rustock.C DriverEntry startup code for its multi-layered unpacking routine, well tuned loader, techniques for obfuscation of loaded image, hook initialization routines and several more aspects. In regard to the steady state operation the paper describes its driver dispatch routines and activities of its worker thread that manifest its underlying operation. In addition, the paper also presents some of its new techniques for registry hiding, file system hiding, anti-debugging tricks and revival strategy that all work collaboratively to make it a highly effective spambot rootkit.