A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #11094  by Kamala
 Tue Jan 17, 2012 6:16 pm
I downloaded Rustock family rootkit from offensivecomputing.net and was unable to successfully infect the system.

I was able to unzip and end up with a malware.exe which appears to be a valid PE. However, running it results in it crashing as opposed to any malware getting installed. Is there more unpacking that need to be done that I am missing? Does anyone happen to know what the steps are if any beyond first level unpackaging that leaves me with malware.exe PE file? Thanks.
 #11099  by Kamala
 Tue Jan 17, 2012 10:10 pm
I am using virtualbox although I could easily move to baremetal if that would help?

Do you think the malware is running far enough to find out about the env it is running it? I was still suspecting that there might be more to unpack.
 #11102  by Kamala
 Wed Jan 18, 2012 12:06 am
I would be happy to attach the sample but am I allowed to upload samples I downloaded from offensivecomputing website to other sites? Please let me know. If yes, I would be happy to do that. Thanks.

And here is info regarding one of the malware (as specified in http://offensivecomputing.net) I am trying to use in case you already have it -

MD5:
60f7ae2098b2d58869d021e441d2c90e
SHA1:
7a9b9e9b76e581faa65936e935cc9d92c263a48b
SHA256:
c37b5d7661cbf1fa41bbc4f2af850a9f98de9d0fe3333ba866b3408b8a72660d
Original Submitted Filename:
rustock4.exe-mal
Date Added:
2008-09-19 08:58:44.959909
Magic File Type:
MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit
Packer Signature:
yoda's Crypter 1.3-->Ashkbiz Danehkar [656,2625]
yoda's cryptor 1.3 -> Ashkbiz Danehkar [711,2847]
Anti-Virus Results:
BitDefender
Trojan.Dropper.Rustock.B
Tags:
Add a tag:
Download Sample Password infected
 #11104  by EP_X0FF
 Wed Jan 18, 2012 3:05 am
This is earlier version of Rustock.B
G:\bot-mailer\007spambot-01\driver\objfre\i386\driver.pdb
In your case this is Virtual Box emulation problem, not rootkit problem. Use different machine. Also it can fail to run on MP machine, due to syscall hooking it might bluescreen. Use single CPU machine, Windows XP. Rootkit driver loader file will be attached as ADS to system32 directory.

In case if it still can't load normally, force it manually. Copy attached driver somewhere, change ImagePath to point on this driver and import this reg data.
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386]
"Type"=dword:00000001
"Start"=dword:00000001
"ErrorControl"=dword:00000000
"ImagePath"="\\SystemRoot\\System32:18467"
"DisplayName"="Win23 PE files loader"
"Group"="Base"
"ExtParam"=hex:28,3d,52,04,9d,2c,08,02,07,66,6a,07,b8,6c,52,f8

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security]
"Security"=hex:01,00,14,80,90,00,00,00,9c,00,00,00,14,00,00,00,30,00,00,00,02,\
00,1c,00,01,00,00,00,02,80,14,00,ff,01,0f,00,01,01,00,00,00,00,00,01,00,00,\
00,00,02,00,60,00,04,00,00,00,00,00,14,00,fd,01,02,00,01,01,00,00,00,00,00,\
05,12,00,00,00,00,00,18,00,ff,01,0f,00,01,02,00,00,00,00,00,05,20,00,00,00,\
20,02,00,00,00,00,14,00,8d,01,02,00,01,01,00,00,00,00,00,05,0b,00,00,00,00,\
00,18,00,fd,01,02,00,01,02,00,00,00,00,00,05,20,00,00,00,23,02,00,00,01,01,\
00,00,00,00,00,05,12,00,00,00,01,01,00,00,00,00,00,05,12,00,00,00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum]
"0"="Root\\LEGACY_PE386\\0000"
"Count"=dword:00000001
"NextInstance"=dword:00000001
Attachments
pass: malware
(57.24 KiB) Downloaded 51 times