Hot News! - Dr.Web successfully detects Win32.Ntldrbot(aka Rustock.C)

Very very nice catch was done by Dr.Web’s analyst team
and now they successfully detects Win32.Ntldrbot(aka Rustock.C)

full news on Dr.Web’s website http://info.drweb.com/show/3342/en

.... Some anti-virus labs didn’t give up seeking the virus. Finally the intensive search gave results. Eighteen months passed before Win32.Ntldrbot has been found by analysts of Doctor Web, Ltd. at the beginning of 2008. All this time the rootkit was in the wild compromising PCs and turning them into bots. Assuming that the malware has been running free and completely invisible since October 2007 one could asses the resulting amount of infected traffic.

Some features of Win32.Ntldrbot

Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
Implemented as a driver, it runs on the lowest kernel level.
Protects itself, prevents runtime changes.
Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
Intercepts system functions using non-standard method.
Functions as a file-virus and infects system drivers.
A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit “wonders” through system drivers infecting only one at a time.
Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
Features anti-rootkit protection.
Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism

that’s nasty badware 8)

p.s. Avast! detect it yet ???

Have you checked the virus database ?

This shows 16 different Rustock signatures including rustock-c though there is no standardisation in virus naning so there is no easy way to tell.

seems not , see http://www.castlecops.com/t221308-Rustock_C_Win32_NtldrBot.html

Well that doesn’t say it is rustock-c at all just Win32.Ntldrbot, so it is just another point in the no standard naming of virus/malware.

The other two detections also appear to be heuristic malware.gen and viper.Suspicious.

So this appears to be a new variant and not rustock-c otherwise there would have been more detections on the other scanners by signature. So yes it would appear that avast doesn’t detect this ‘new’ malware variant, but I would say the jury is out on this being rustock-c.

very interesting details and in-depth technical cover of the rootkit and it’s heroic ‘lifetime’ …

http://forum.sysinternals.com/forum_posts.asp?TID=14844

one need to ask how come malware was able to exist 1.5y w/o being completely detected and analyzed …
what’s shocking is quality of coding, tons of kernel mode hooks and no stability issue …