Pages

Friday, October 7, 2011

Rustock samples and analysis links. Rustock.C, E, I, J and other variants

 

 I thought that Russian Matryoshka aka Rustock the Nested Doll would be a good subject after the previous post about Trojan.Matryoshka (Taidoor) analyzed by Jared Myers from CyberESI. Russian rootkit Rustock is as notorious as TDSS or Stuxnet and is very sophisticated. Many researchers made detailed analysis of Rustock and this is why it is a great subject of study. The botnet is down but the malware is here for you to play and try to reverse on your own or following one of the analysis papers posted below.


 General File Information


Rustock 23 Virustotal  approx. Oct 2009
File timedatestamp. (Thu Oct 01 10:15:30 2009)
VT First seen: 2009-11-07 05:29:52
Size: 269312
MD5:  1A713083A0BC21BE19F1EC496DF4E651

Rustock.NFE Virustotal  approx. Mar 2009
File timedatestamp. (Mon Mar 02 12:18:02 2009)
 VT First seen: 2009-03-20 01:59:48
 Size: 98158
MD5:  8E4994543ADBC2BA2103C6F801898356

Rustock.J Virustotal  approx. Aug 2008
VT first seen 2008-08-22 05:08:39
Size: 428168
MD5:  76101675D9CF5BA5238CAE9D5FAC8881

Rustock. I Virustotal approx.  Sept 2009
File timedatestamp (Tue Sep 15 16:42:54 2009)
VT First seen: 2009-10-07 18:04:12
Size: 20480
MD5:  4A5E58D6351C342F3EDC145F6F4EEAFE

Rustock. E Virustotal approx. Sep. 2007
timedatestamp. (Wed Sep 26 05:11:12 2007)
Size: 158464
MD5:  04BA40662923BE168CA4DC2DA924A0D0

Rustock.C Virustotal approx. Jan 2007
Timestamp: (Fri Jan 19 09:46:53 2007)
VT First seen: 2007-01-22 08:52:17
Size: 70570
MD5:  FDAFB3A14338B2B612C4E5C4F94B3677
 
 

Malware Analysis and Botnet research Links




Download





Automated Scans


Here are current scans 

Rustock 23
malware.exe
Submission date:2011-10-07 02:50:13 (UTC)
Result:36/ 43 (83.7%)
AhnLab-V3    2011.10.06.00    2011.10.06    Win-Trojan/Newrest.269312
AntiVir    7.11.15.141    2011.10.06    TR/Dropper.Gen
Avast    6.0.1289.0    2011.10.06    Win32:Neredr [Drp]
AVG    10.0.0.1190    2011.10.06    BackDoor.Generic12.EG
BitDefender    7.2    2011.10.07    Gen:Trojan.Heur.Rustock.1
CAT-QuickHeal    11.00    2011.10.05    W32.Rustock.J
ClamAV    0.97.0.0    2011.10.07    Trojan.Rustock-23
Commtouch    5.3.2.6    2011.10.07    W32/NewRest.A.gen!Eldorado
Comodo    10368    2011.10.07    TrojWare.Win32.TrojanDownloader.Boltolog.~JH3
DrWeb    5.0.2.03300    2011.10.07    Trojan.Spambot.5077
Emsisoft    5.1.0.11    2011.10.07    Backdoor.WinNT.Rustock!IK
eSafe    7.0.17.0    2011.10.06    Win32.Pandex
eTrust-Vet    36.1.8603    2011.10.06    -
F-Prot    4.6.2.117    2011.10.06    W32/NewRest.A.gen!Eldorado
F-Secure    9.0.16440.0    2011.10.07    Gen:Trojan.Heur.Rustock.1
Fortinet    4.3.370.0    2011.10.06    W32/NewRest.BC!tr.bdr
GData    22    2011.10.07    Gen:Trojan.Heur.Rustock.1
Ikarus    T3.1.1.107.0    2011.10.07    Backdoor.WinNT.Rustock
Jiangmin    13.0.900    2011.10.06    Backdoor/NewRest.axy
K7AntiVirus    9.115.5248    2011.10.06    Riskware
Kaspersky    9.0.0.837    2011.10.07    Backdoor.Win32.NewRest.bc
McAfee    5.400.0.1158    2011.10.07    Generic BackDoor!bfe
McAfee-GW-Edition    2010.1D    2011.10.07    Generic BackDoor!bfe
Microsoft    1.7702    2011.10.06    Backdoor:WinNT/Rustock.AN
NOD32    6523    2011.10.07    a variant of Win32/Rustock.NKU
Norman    6.07.11    2011.10.06    W32/Suspicious_Gen2.HITO
nProtect    2011-10-06.01    2011.10.06    Backdoor/W32.NewRest.269312.D
Panda    10.0.3.5    2011.10.06    Rootkit/Farfli.X
PCTools    8.0.0.5    2011.10.07    Trojan.Pandex!rem
Sophos    4.70.0    2011.10.06    Mal/Generic-L
Symantec    20111.2.0.82    2011.10.07    Trojan.Pandex
TheHacker    6.7.0.1.318    2011.10.06    Backdoor/NewRest.bc
TrendMicro    9.500.0.1008    2011.10.06    BKDR_RUSTOCK.SMA
TrendMicro-HouseCall    9.500.0.1008    2011.10.07    BKDR_RUSTOCK.SMA
VBA32    3.12.16.4    2011.10.06    Malware-Cryptor.General.3
VIPRE    10685    2011.10.07    Trojan-Dropper.Win32.Rustock.j (v)
VirusBuster    14.0.252.5    2011.10.06    Backdoor.NewRest!90rGdRrhb6c
MD5   : 1a713083a0bc21be19f1ec496df4e651

Rustock.NFE
File name: malware.exe
2011-10-07 02:54:50 (UTC)
Result: 35/ 42 (83.3%)
Virustotal
AhnLab-V3    2011.10.06.00    2011.10.06    Win-Trojan/Rustock.98158
AntiVir    7.11.15.141    2011.10.06    TR/Rootkit.Gen
Antiy-AVL    2.0.3.7    2011.10.06    Backdoor/Win32.NewRest.gen
Avast    6.0.1289.0    2011.10.06    Win32:RustNT [Rtk]
AVG    10.0.0.1190    2011.10.06    BackDoor.Generic11.CDJ
BitDefender    7.2    2011.10.07    Backdoor.Rustock.NFE
CAT-QuickHeal    11.00    2011.10.05    Trojan.Agent.ATV
Commtouch    5.3.2.6    2011.10.07    W32/SYStroj.S.gen!Eldorado
Comodo    10368    2011.10.07    Backdoor.Win32.NewRest.A
DrWeb    5.0.2.03300    2011.10.07    Trojan.Spambot.8555
Emsisoft    5.1.0.11    2011.10.07    Backdoor.Win32.NewRest!IK
F-Prot    4.6.2.117    2011.10.06    W32/SYStroj.S.gen!Eldorado
F-Secure    9.0.16440.0    2011.10.07    Backdoor.Rustock.NFE
Fortinet    4.3.370.0    2011.10.06    W32/Backdoor!tr
GData    22    2011.10.07    Backdoor.Rustock.NFE
Ikarus    T3.1.1.107.0    2011.10.07    Backdoor.Win32.NewRest
Jiangmin    13.0.900    2011.10.06    Backdoor/NewRest.bhg
K7AntiVirus    9.115.5248    2011.10.06    Riskware
Kaspersky    9.0.0.837    2011.10.07    Backdoor.Win32.NewRest.z
McAfee    5.400.0.1158    2011.10.07    W32/Rustock
McAfee-GW-Edition    2010.1D    2011.10.07    W32/Rustock
Microsoft    1.7702    2011.10.06    Backdoor:WinNT/Rustock.E
NOD32    6523    2011.10.07    a variant of Win32/Rustock.NKU
Norman    6.07.11    2011.10.06    W32/Rustock.ALF
nProtect    2011-10-06.01    2011.10.06    Backdoor/W32.Rustock.98158
Panda    10.0.3.5    2011.10.06    Generic Backdoor
PCTools    8.0.0.5    2011.10.07    Backdoor.Rustock.C!rem
Sophos    4.70.0    2011.10.06    Mal/TDSSPack-G
Symantec    20111.2.0.82    2011.10.07    Backdoor.Rustock.B
TheHacker    6.7.0.1.318    2011.10.06    Backdoor/NewRest.z
TrendMicro    9.500.0.1008    2011.10.06    BKDR_RUSTOCK.SMB
TrendMicro-HouseCall    9.500.0.1008    2011.10.07    BKDR_RUSTOCK.SMB
VBA32    3.12.16.4    2011.10.06    Malware-Cryptor.General.3
VIPRE    10685    2011.10.07    Backdoor.Rustock
VirusBuster    14.0.252.5    2011.10.06    Backdoor.NewRest!n6q3ymQd7tQ
MD5   : 8e4994543adbc2ba2103c6f801898356

Rustock.J
Virustotal
c25a91a3c1301c877870d0a9c7287a3b19ed5802
Submission date:2011-07-02 03:20:19 (UTC)
AhnLab-V3     2011.07.02.00     2011.07.01     Trojan/Win32.ADH
AntiVir     7.11.10.197     2011.07.01     TR/Dropper.Gen
Avast     4.8.1351.0     2011.07.01     Win32:Foxer
Avast5     5.0.677.0     2011.07.01     Win32:Foxer
AVG     10.0.0.1190     2011.07.01     Downloader.FraudLoad.AO
BitDefender     7.2     2011.07.02     Trojan.Rootkit.Rustock.J
Comodo     9248     2011.07.02     TrojWare.Win32.Trojan.DNSChanger.VD0
eTrust-Vet     36.1.8421     2011.07.01     Win32/ASuspect.HDFDS
F-Secure     9.0.16440.0     2011.07.02     Trojan-Dropper:W32/Agent.FDD
GData     22     2011.07.02     Trojan.Rootkit.Rustock.J
Ikarus     T3.1.1.104.0     2011.07.01     Win32.SuspectCrc
Jiangmin     13.0.900     2011.07.01     TrojanDropper.Agent.qig
K7AntiVirus     9.107.4863     2011.07.01     Trojan
Kaspersky     9.0.0.837     2011.07.02     -
McAfee     5.400.0.1158     2011.07.02     Generic.dx
McAfee-GW-Edition     2010.1D     2011.07.02     Generic.dx
Microsoft     1.7000     2011.07.01     TrojanDropper:Win32/Alureon.N
Norman     6.07.10     2011.07.01     W32/Suspicious_Gen2.IRVW
nProtect     2011-07-01.01     2011.07.01     Trojan.DNSChanger.VD
Panda     10.0.3.5     2011.07.01     Trj/CI.A
PCTools     8.0.0.5     2011.07.01     Trojan.ADH
Sophos     4.67.0     2011.07.02     Mal/Generic-L
Symantec     20111.1.0.186     2011.07.02     Trojan.ADH
VBA32     3.12.16.4     2011.07.01     Malware-Cryptor.Win32.General.4
VIPRE     9745     2011.07.02     Media Code, Inc (v)
MD5   : 76101675d9cf5ba5238cae9d5fac8881

Rustock. I
Virustotal
malware.exe
Submission date:2011-10-07 03:27:30 (UTC)
Result:
37/ 43 (86.0%)
AhnLab-V3    2011.10.06.00    2011.10.06    Win-Trojan/Murlo.20480.BI
AntiVir    7.11.15.141    2011.10.06    TR/Dldr.Agent.20478
Avast    6.0.1289.0    2011.10.06    Win32:Trojan-gen
AVG    10.0.0.1190    2011.10.06    BackDoor.Generic11.AYOE
BitDefender    7.2    2011.10.07    Trojan.Generic.2509041
CAT-QuickHeal    11.00    2011.10.05    TrojanDownloader.Murlo.chj
Commtouch    5.3.2.6    2011.10.07    W32/Rustock.I
Comodo    10368    2011.10.07    UnclassifiedMalware
DrWeb    5.0.2.03300    2011.10.07    Trojan.DownLoad.57537
Emsisoft    5.1.0.11    2011.10.07    Trojan-Downloader.Win32.Murlo!IK
eTrust-Vet    36.1.8603    2011.10.06    Win32/Rustock.JG
F-Prot    4.6.2.117    2011.10.06    W32/Rustock.I
F-Secure    9.0.16440.0    2011.10.07    Trojan.Generic.2509041
Fortinet    4.3.370.0    2011.10.06    W32/Agent.OKM!tr.bdr
GData    22    2011.10.07    Trojan.Generic.2509041
Ikarus    T3.1.1.107.0    2011.10.07    Trojan-Downloader.Win32.Murlo
Jiangmin    13.0.900    2011.10.06    TrojanDownloader.Murlo.aga
K7AntiVirus    9.115.5248    2011.10.06    Backdoor
Kaspersky    9.0.0.837    2011.10.07    Trojan-Downloader.Win32.Murlo.chj
McAfee    5.400.0.1158    2011.10.07    Generic Downloader.x!bpu
McAfee-GW-Edition    2010.1D    2011.10.07    Generic Downloader.x!bpu
Microsoft    1.7702    2011.10.06    TrojanDownloader:Win32/Rustock.A
NOD32    6523    2011.10.07    Win32/Rustock.NLB
Norman    6.07.11    2011.10.06    W32/DLoader.ABIYA
nProtect    2011-10-06.01    2011.10.06    Trojan-Downloader/W32.MultiDrop.20480.E
Panda    10.0.3.5    2011.10.06    Trj/Downloader.MDW
PCTools    8.0.0.5    2011.10.07    Downloader.Generic
Rising    23.77.04.01    2011.09.30    Trojan.Win32.Generic.122B31C0
Sophos    4.70.0    2011.10.06    Mal/Generic-L
Symantec    20111.2.0.82    2011.10.07    Downloader
TheHacker    6.7.0.1.318    2011.10.06    Trojan/Downloader.Murlo.chj
TrendMicro    9.500.0.1008    2011.10.07    TROJ_MURLO.DQ
TrendMicro-HouseCall    9.500.0.1008    2011.10.07    TROJ_MURLO.DQ
VBA32    3.12.16.4    2011.10.06    Trojan-Downloader.Win32.Murlo.chj
VIPRE    10685    2011.10.07    Trojan.Win32.Generic!BT
ViRobot    2011.10.7.4706    2011.10.07    Trojan.Win32.Downloader.20480.XZ
VirusBuster    14.0.252.5    2011.10.06    Trojan.DL.Rustock!k8yJCVO/R5I
MD5   : 4a5e58d6351c342f3edc145f6f4eeafe 
 Prevx Info:
http://info.prevx.com/aboutprogramtext.asp?PX5=CBEB94DB0045A09250F900D6E53FB500EE9E3B84 ThreatExpert:
http://www.threatexpert.com/report.aspx?md5=4a5e58d6351c342f3edc145f6f4eeafe

Rustock.E
malware.exe
Submission date:2011-10-07 03:32:34 (UTC)
Result:30/ 43 (69.8%)
Virustotal
AntiVir    7.11.15.141    2011.10.06    TR/Rootkit.Gen
Avast    6.0.1289.0    2011.10.06    Win32:Rusty
AVG    10.0.0.1190    2011.10.06    Klone.P
BitDefender    7.2    2011.10.07    Win32.Ntldrbot.A
CAT-QuickHeal    11.00    2011.10.05    W32.Rustock.D
Commtouch    5.3.2.6    2011.10.07    W32/Rustock.E
Comodo    10368    2011.10.07    UnclassifiedMalware
DrWeb    5.0.2.03300    2011.10.07    Win32.Ntldrbot
Emsisoft    5.1.0.11    2011.10.07    Virus.Win32.Rustock!IK
eSafe    7.0.17.0    2011.10.06    Win32.TRRootkit
eTrust-Vet    36.1.8603    2011.10.06    -
F-Prot    4.6.2.117    2011.10.06    W32/Rustock.E
F-Secure    9.0.16440.0    2011.10.07    Win32.Ntldrbot.A
Fortinet    4.3.370.0    2011.10.06    W32/Rustock.fam
GData    22    2011.10.07    Win32.Ntldrbot.A
Ikarus    T3.1.1.107.0    2011.10.07    Virus.Win32.Rustock
K7AntiVirus    9.115.5248    2011.10.06    Virus
Kaspersky    9.0.0.837    2011.10.07    Virus.Win32.Rustock.a
McAfee    5.400.0.1158    2011.10.07    Spam-Mailbot.sys!gen
McAfee-GW-Edition    2010.1D    2011.10.07    Spam-Mailbot.sys!gen
Microsoft    1.7702    2011.10.06    Backdoor:WinNT/Rustock.D
NOD32    6523    2011.10.07    Win32/Rustock.A
Norman    6.07.11    2011.10.06    Rustock.CFX
nProtect    2011-10-06.01    2011.10.06    Win32.Ntldrbot.A
Panda    10.0.3.5    2011.10.06    Suspicious file
Rising    23.77.04.01    2011.09.30    Trojan.Win32.Generic.128C3CB1
Sophos    4.70.0    2011.10.06    Mal/RKRustok-B
TrendMicro    9.500.0.1008    2011.10.07    HeurSpy_Rustok1
TrendMicro-HouseCall    9.500.0.1008    2011.10.07    HeurSpy_Rustok1
VIPRE    10685    2011.10.07    Trojan.Win32.Generic!BT
VirusBuster    14.0.252.5    2011.10.06    Rootkit.Rustock.Gen!Pac
MD5   : 04ba40662923be168ca4dc2da924a0d0

Rustock.C 38/ 43 (88.4%)
Virustotal
AhnLab-V3    2011.10.06.00    2011.10.06    Win-Trojan/Costrat.25088.B
AntiVir    7.11.15.141    2011.10.06    TR/Dropper.Gen
Avast    6.0.1289.0    2011.10.06    Win32:Trojan-gen
AVG    10.0.0.1190    2011.10.06    Obfustat.ITG
BitDefender    7.2    2011.10.07    Backdoor.Rustock.Gen.1
ByteHero    1.0.0.1    2011.09.23    -
CAT-QuickHeal    11.00    2011.10.05    Rootkit.Rustock
ClamAV    0.97.0.0    2011.10.07    Trojan.Clicker-950
Commtouch    5.3.2.6    2011.10.07    W32/Rustock.C
Comodo    10368    2011.10.07    Trojan-Clicker.Win32.Costrat.bk
DrWeb    5.0.2.03300    2011.10.07    Trojan.Spambot
Emsisoft    5.1.0.11    2011.10.07    Backdoor.WinNT.Rustock!IK
eSafe    7.0.17.0    2011.10.06    Win32.Rustock.B
eTrust-Vet    36.1.8603    2011.10.06    -
F-Prot    4.6.2.117    2011.10.06    W32/Rustock.C
F-Secure    9.0.16440.0    2011.10.07    Backdoor.Rustock.Gen.1
Fortinet    4.3.370.0    2011.10.06    W32/Generic.CON!tr
GData    22    2011.10.07    Backdoor.Rustock.Gen.1
Ikarus    T3.1.1.107.0    2011.10.07    Backdoor.WinNT.Rustock
Jiangmin    13.0.900    2011.10.06    TrojanClicker.Costrat.ml
K7AntiVirus    9.115.5248    2011.10.06    Riskware
Kaspersky    9.0.0.837    2011.10.07    Trojan-Clicker.Win32.Costrat.bk
McAfee    5.400.0.1158    2011.10.07    Generic.dx
McAfee-GW-Edition    2010.1D    2011.10.07    Generic.dx
Microsoft    1.7702    2011.10.06    Backdoor:WinNT/Rustock.C
NOD32    6523    2011.10.07    a variant of Win32/Rootkit.Kryptik.BP
Norman    6.07.11    2011.10.06    W32/Agent.ECMM
nProtect    2011-10-06.01    2011.10.06    Trojan-Clicker/W32.Costrat.70570
Panda    10.0.3.5    2011.10.06    Trj/Agent.EDT
PCTools    8.0.0.5    2011.10.07    Backdoor.Rustock.C!rem
Prevx    3.0    2011.10.07    Medium Risk Malware
Rising    23.77.04.01    2011.09.30    Trojan.Win32.Generic.122F6627
Sophos    4.70.0    2011.10.06    Mal/RKRustok-A
Symantec    20111.2.0.82    2011.10.07    Backdoor.Rustock.B
TheHacker    6.7.0.1.318    2011.10.06    Trojan/Clicker.Costrat.bk
TrendMicro    9.500.0.1008    2011.10.07    BKDR_RUSTOCK.AR
TrendMicro-HouseCall    9.500.0.1008    2011.10.07    BKDR_RUSTOCK.AR
VBA32    3.12.16.4    2011.10.06    Malware-Cryptor.Win32.015
VIPRE    10685    2011.10.07    Backdoor.Rustock
VirusBuster    14.0.252.5    2011.10.06    Trojan.Rustock!gMcRHMfFn+E
MD5   : fdafb3a14338b2b612c4e5c4f94b3677


No comments:

Post a Comment