Rustock.C - When a myth comes true presented at HackLu 2008

by Frank Boldewin,

Summary : Todays top notch spambots have one in common - next to the ability to send billions of spam mails each day, they are well protected from being easily analyzed or detected by AV-Scanners, HIPS or other security products. Reacting fully from kernelmode they use strong poly/metamorphic engines or anti-debugging features. Outside connections are usually encrypted and can't be easily sniffed. In the end of september 2007 rumours made the rounds that a new super rootkit was seen in the wild called "Rustock.C aka Ntldrbot", a successor of its well-known former versions. Some voices even alleged this malware uses so advanced tricks that no AV-scanner or rootkit-detector would be able to detect it with its currently implemented technologies. It is fairly comprehensible that the whole industry was really curious if this is really the case and started hunting for it. As after some weeks still nobody found samples of it, everyone in the industry came to the conclusion the whole story is just a myth... Until May 2008! A russian AV-company called DrWeb published some basic information of this rootkit, to prove it really exists and that it uses very powerful tricks to stay undetected.
This talk presents the results brought to light while a deep analysis.