[Kamala]

I downloaded Rustock family rootkit from offensivecomputing.net and was unable to successfully infect the system.

I was able to unzip and end up with a malware.exe which appears to be a valid PE. However, running it results in it crashing as opposed to any malware getting installed. Is there more unpacking that need to be done that I am missing? Does anyone happen to know what the steps are if any beyond first level unpackaging that leaves me with malware.exe PE file? Thanks.

[Aleksandra]

Is this real or virtual machine?

[Kamala]

It's a virtual machine.

[Aleksandra]

It's a virtual machine.

What virtual machine do you use?

[Kamala]

I am using virtualbox although I could easily move to baremetal if that would help?

Do you think the malware is running far enough to find out about the env it is running it? I was still suspecting that there might be more to unpack.

[Aleksandra]

It seems that the dropper can detect VirtualBox as Virtual Machine...

Please attach your sample.

[Kamala]

I would be happy to attach the sample but am I allowed to upload samples I downloaded from offensivecomputing website to other sites? Please let me know. If yes, I would be happy to do that. Thanks.

And here is info regarding one of the malware (as specified in http://offensivecomputing.net) I am trying to use in case you already have it -

MD5:
60f7ae2098b2d58869d021e441d2c90e
SHA1:
7a9b9e9b76e581faa65936e935cc9d92c263a48b
SHA256:
c37b5d7661cbf1fa41bbc4f2af850a9f98de9d0fe3333ba866b3408b8a72660d
Original Submitted Filename:
rustock4.exe-mal
Date Added:
2008-09-19 08:58:44.959909
Magic File Type:
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Packer Signature:
yoda's Crypter 1.3-->Ashkbiz Danehkar [656,2625]
yoda's cryptor 1.3 -> Ashkbiz Danehkar [711,2847]
Anti-Virus Results:
BitDefender
Trojan.Dropper.Rustock.B
Tags:
Add a tag:
Download Sample Password infected

[Kamala]

I gather it might be ok to post the sample for the benefit of this discussion. Password is infected. Thanks.

As I mentioned earlier I got it from offensivecomputing.net website.

[EP_X0FF]

This is earlier version of Rustock.B

G:\bot-mailer\007spambot-01\driver\objfre\i386\driver.pdb

In your case this is Virtual Box emulation problem, not rootkit problem. Use different machine. Also it can fail to run on MP machine, due to syscall hooking it might bluescreen. Use single CPU machine, Windows XP. Rootkit driver loader file will be attached as ADS to system32 directory.

In case if it still can't load normally, force it manually. Copy attached driver somewhere, change ImagePath to point on this driver and import this reg data.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"="\\SystemRoot\\System32:18467"
"DisplayName"="Win23 PE files loader"
"Group"="Base"
"ExtParam"=hex:28,3d,52,04,9d,2c,08,02,07,66,6a,07,b8,6c,52,f8

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum]
"0"="Root\\LEGACY_PE386\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001

[STRELiTZIA]

Hello,
Try attached unpacked (same sample)...