Rustock.C When a myth comes true

More documents

Recommendations

Info

$\H1B%-12345X@PJL JOB “HackingPrinters”$

Agenda • The family's history • How the myth started rolling • The hunt for answers • The loader • The beast itself • Protection layers • Inside the rootkit • The botnet user mode code • Lessons learned 2
The family's history • Rustock aka Spambot is able to send spam emails and always used top notch rootkit techniques to hide its tracks • First version (Rustock.A) appeared in Nov 2005, followed by Rustock.B in July 2006 • Code maintained probably only by one Russian guy, who is known as "pe386" or "ntldr" in the underground • From a reverse engineers point of view, this malware family was always a challenging task and with every evolution step also the degree of analyzing difficulty increased 3
Page 1: Rustock.C When a myth comes true Fr
Page 5 and 6: How the myth started rolling • In
Page 7: The hunt for answers • After some
Page 10 and 11: Loaders inner workings • Grabs se
Page 12: The beast itself
Page 15 and 16: Protection layer 2 • Searches the
Page 17 and 18: Protection layer 3 • If the 8 byt
Page 19 and 20: Inside the rootkit • Unpacked cod
Page 21 and 22: Inside the rootkit • NTOSKRNL hoo
Page 23 and 24: Inside the rootkit • To prevent l
Page 25 and 26: The botnet user mode code
Page 27 and 28: Lessons learned • Kernel mode dri

Rustock.C When a myth comes true

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?