A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #2615  by Jaxryley
 Fri Sep 03, 2010 12:32 am
I found that booting from a live cd and cutting/pasting the samples from system32/drivers to desktop the easiest way to harvest these.
http://www.microsoft.com/security/porta ... bnix.gen!A
Trojan:WinNT/Bubnix.gen!A is a generic detection for a kernel-mode driver installed by other malware that hides its presence on an affected computer by blocking registry and file access to itself. The trojan may report its installation to a remote server, download and distribute spam e-mail messages and could download and execute arbitrary files.
pnqsdnk.sys - 12 /43 - MS - Trojan:WinNT/Bubnix.gen!A
http://www.virustotal.com/file-scan/rep ... 1283472649
Five samples
(3.73 MiB) Downloaded 794 times
 #2905  by spaceman
 Thu Sep 30, 2010 12:09 pm
Hi, I'm looking for a recent sample of Rustock, can anyone help with that? Most of the samples on Offensivecomputing are pretty outdated. TIA.
 #2906  by EP_X0FF
 Thu Sep 30, 2010 12:31 pm
Hello,

load this driver manually.
Attachments
pass: malware
(796.31 KiB) Downloaded 142 times
 #2919  by EP_X0FF
 Sat Oct 02, 2010 4:51 pm
Did you tried to set it as boot driver? I don't remember now, but earlier when I tried it survived reboots many times. It keeps few hooks and watchdog system thread, that overwrites rootkit driver file with small delay.
 #2957  by spaceman
 Thu Oct 07, 2010 6:06 pm
Have you noticed any changes to the driver in the past few days? It looks like it no longer hooks the SSDT. I read some articles about the drop in Rustock spam related to an affiliate shutdown, but it seems like the rootkit itself has been updated as well. I'd be interested to know if people have observed similar changes.
 #2965  by EP_X0FF
 Fri Oct 08, 2010 1:18 am
Some AV vendors may mark Black Energy 2+ as Rustock.
 #3205  by Jaxryley
 Sun Oct 24, 2010 12:51 pm
hxxp://www.freewebtown.com/giknow/trip.exe
trip.exe is dropping the new MSE ThinkPoint fake alert plus a couple of extras and seems to drop a slightly different .sys at each of the three installs I tried?

trip.exe - 9/43 - MD5 : d0ea36ea989162d1e527e0f69a391e6e
http://www.virustotal.com/file-scan/rep ... 1287922114

rnsumes.sys - 2/40 - Trojan:WinNT/Bubnix.gen!A - MD5 : b702fdcd2757b3a52731af724bc41c06
http://www.virustotal.com/file-scan/rep ... 1287921977

zmzazd.sys - 2/40 - Trojan:WinNT/Bubnix.gen!A - MD5 : 8ed7148f7084db3726a23bd880fcfe17
http://www.virustotal.com/file-scan/rep ... 1287921983

acijxydyq.sys - 2/37 - TR/Crypt.ZPACK.Gen - MD5 : 35dd69a628a14e519cf03c93645cfdd6
http://www.virustotal.com/file-scan/rep ... 1287924285
(3.31 MiB) Downloaded 103 times
 #5105  by EP_X0FF
 Sat Feb 19, 2011 3:56 pm
Here is todays fresh sample of Rustock rootkit. Have no idea how it's now internally named and who is currently develops. Almost no changes since 2008 when I firstly saw it ITW.

DKOH + IRP Hooking (NTFS, Fastfat) + CmRegistryCallback.
Constantly hooks Key->ParseProcedure back if unhooked in watchdog system thread, so kill it first.

In attach dropper, driver it downloads and starts (rootkit itself) and exported driver registry data.
Attachments
pass: malware
(734.31 KiB) Downloaded 133 times