Rustock

Rustock is a rootkit and botnet created on its basis. Rustock appeared in 2006. ^{[1] The} botnet functioned until March 2011. ^[2]

PCs with 32-bit Microsoft Windows OS were amazed. Spam was sent from infected computers, the speed of its distribution could reach 25 thousand messages per hour. ^[3] ^[4] The rustock botnet contained from 150 thousand to 2 million infected computers.

Content

History

Kaspersky Lab believes that the widespread distribution of the Rustock virus began on September 10, 2007. ^[five]

In May 2008, the virus was detected. A few days later it was recognized by several antiviruses. ^[five]

In 2008, due to the temporary disconnection of McColo hosting ( San Jose, California ), which had part of the botnet management servers installed, the botnet's activity decreased. ^[6]

The botnet was destroyed on March 16, 2011 ^[2] as part of a joint operation “b107” ^[7] , conducted by Microsoft , agents of federal law enforcement agencies, FireEye , and the University of Washington . ^[eight]

In May 2011 ^{[9] of the} year, Microsoft stated that a person who used the nickname “Cosma2k” ^[10] was involved in the work of the botnet. Presumably, some of the organizers of the botnet were located in Russia. ^[eleven]

In June 2011, Microsoft posted an appeal to the founders of Rustock in the newspapers Delovoy Peterburg and Moskovskiye Novosti and notified them about the trial of them in the Washington District Court. ^[12]

For information about the creators of the virus July 18, 2011 was announced a large cash reward. ^[12]

Inside

Each infected computer regularly accessed management servers. Interaction with them took place using the HTTP protocol and POST requests. All data is additionally encrypted, according to Symantec using the RC4 algorithm . The exchange session consisted of two phases: key exchange and transfer of instructions. The key exchange occurred when contacting the login.php script (the client sent 96 bytes, the server's response was 16 bytes). Instructions were transmitted by the data.php script. ^[13]

The virus file consists of: ^[13]

Module of primary deobsfukatsii 0x4AF bytes
Rootkit bootloader (0x476 bytes)
Rootkit codes.
Spam submission module.

The rootkit loader uses the ExAllocatePool, ZwQuerySystemInformation, ExFreePool, stricmp functions from ntoskrnl.exe. ^[13]

Variations

Three variations of the Rustock virus were also found:

Version Rustock.С1 - created on September 10, 2007.
Option Rustock.С2 - created on September 26.
Options C3 and C4 - created October 9-10, 2007.

Notes

↑ Chuck Miller. The Rustock botnet spams again . SC Magazine US (July 25, 2008). The appeal date is April 21, 2010. Archived August 15, 2012.
↑ ¹ ² Hickins, Michael . Prolific Spam Network Is Unplugged , Wall Street Journal (March 17, 2011). The appeal date is March 17, 2011.
Via Real Viagra sales power global spam flood - Techworld.com (Neopr.) . News.techworld.com. The appeal date is April 21, 2010. Archived August 15, 2012.
↑ Rustock: M86 Security
↑ ¹ ² "Rustock and all-all-all" (securelist.com)
↑ https://www.theregister.co.uk/2008/11/18/short_mccolo_resurrection/ Dead network arms rustock botnet from the hereafter. McColo dials Russia as world sleeps]
↑ Williams, Jeff Operation b107 - Rustock Botnet Takedown (Neopr.) . The appeal date is March 27, 2011. Archived August 15, 2012.
↑ Wingfield, Nick . Spam Network Shut Down , Wall Street Journal (March 18, 2011). The appeal date is March 18, 2011.
↑ Rustock Botnet Suspect Sought Job at Google - Krebs on Security
↑ Microsoft turns Rustock to the FBI "According to CNET, Cosma2k is the ringleader of the Rustock botnet"
↑ "Microsoft: traces of the organizers of the Rustock botnet lead to Russia" // CyberSecurity.ru "the corporation reported that at least some of the Rustock operators are in Russia."
↑ ¹ ² Microsoft promises $ 250 thousand for data on the "Russian bot"
↑ ¹ ² ³ A Case Study of the Rustock Rootkit and Spam Bot // HotBots

Links

Alexander Gostev. "Rustock and all-all-all" // securelist.com
Ken Chiang, Levi Lloyd (Sandia). A Rootkit and Spam Bot Case Study |
Vyacheslav Rusakov: "Win32.Ntldrbot (aka Rustock.C) is not a myth, but a reality!" (pdf)

[scmagazineus1-1] Chuck Miller. The Rustock botnet spams again . SC Magazine US (July 25, 2008). The appeal date is April 21, 2010. Archived August 15, 2012.

[cnlhfmtps-2] ¹ ² Hickins, Michael . Prolific Spam Network Is Unplugged , Wall Street Journal (March 17, 2011). The appeal date is March 17, 2011.

[3] Via Real Viagra sales power global spam flood - Techworld.com (Neopr.) . News.techworld.com. The appeal date is April 21, 2010. Archived August 15, 2012.

[4] Rustock: M86 Security

[rvvv-5] ¹ ² "Rustock and all-all-all" (securelist.com)

[6] ttps://www.theregister.co.uk/2008/11/18/short_mccolo_resurrection/ Dead network arms rustock botnet from the hereafter. McColo dials Russia as world sleeps]

[7] Williams, Jeff Operation b107 - Rustock Botnet Takedown (Neopr.) . The appeal date is March 27, 2011. Archived August 15, 2012.

[8] Wingfield, Nick . Spam Network Shut Down , Wall Street Journal (March 18, 2011). The appeal date is March 18, 2011.

[9] Rustock Botnet Suspect Sought Job at Google - Krebs on Security

[10] Microsoft turns Rustock to the FBI "According to CNET, Cosma2k is the ringleader of the Rustock botnet"

[11] "Microsoft: traces of the organizers of the Rustock botnet lead to Russia" // CyberSecurity.ru "the corporation reported that at least some of the Rustock operators are in Russia."

[wbcuri-12] ¹ ² Microsoft promises $ 250 thousand for data on the "Russian bot"

[acsotrrasb-13] ¹ ² ³ A Case Study of the Rustock Rootkit and Spam Bot // HotBots