Mailbot.AZ

Classification

Category:

Backdoor

Platform:

W32

Type:

Rootkit

Aliases:

Mailbot.AZ
SpamTool.Win32.Mailbot.az
Backdoor.Rustock.A
BKDR_RUSTOCK.A

Summary

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities.

Removal

Technical Details

Installation to the system

Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.

When the rootkit driver is executed, it creates a copy of itself to an Alternate Data Stream - %SystemRoot%\system32:[random_number]. However, since the code does not seed the pseudorandom-number generator (code bug), the alternate data stream is always created as:

%SystemRoot%\System32:18467

If the file system does not support Alternate Data Streams, the driver is installed to:

%SystemRoot%\System32\Drivers\pe386.sys

To survive reboot the rootkit adds the following launch point to the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

with the following values:

DisplayName = Win23 PE files loader
ImagePath = \SystemRoot\System32:18467 or
ImagePath = \SystemRoot\System32\Drivers\pe386.sys

The registry settings make sure the driver is started very early in the boot process and it also run in safe mode. Kernel-mode payload: The rootkit takes control over the System Service Dispatcher by hooking INT 0x2E and IA32_SYSENTER_EIP MSR handler functions. A thread trying to execute any of the following system service functions will be redirected to a modified version:

ZwCreateKey
ZwDeviceIoControlFile
ZwEnumerateKey
ZwOpenKey
ZwQueryKey
ZwQuerySystemInformation
ZwSaveKey

These functions are hooked to hide registry keys and values used by the rootkit, and to avoid detection by certain rootkit detection software. The rootkit hooks two IRP handler functions from the driver object responsible for the file system. In the case of NTFS, it hooks the following handler functions from NTFS driver object:

IRP_MJ_CREATE
IRP_MJ_QUERY_INFORMATION

In the case of FAT, it hooks the following handler functions from Fastfat driver object:

IRP_MJ_CLEANUP
IRP_MJ_CREATE

These handler functions are hooked to hide the file or deny access to the alternate data stream. The rootkit hooks the following IRP handler functions from the Tcpip driver object:

IRP_MJ_CLOSE
IRP_MJ_CREATE
IRP_MJ_DEVICE_CONTROL

One purpose for these hooks is to hide any network connections initiated by the user-mode payload. The rootkit installs a notification routine for process creation. It modifies the behavior of some hooks if any of the following strings are present in loaded image's resources section:

BlackLight
Rootkitrevealer
Rkdetector

The rootkit driver tries to make its detection harder by performing the following "tricks":

Executes from dynamically allocated memory
Removes the driver from the loaded modules list
Removes the driver object from the Object Manager
Deletes its legacy key and any subkeys from the registry
Removes its service entry from the Service Control Manager

User-mode Payload: The driver file contains a user-mode DLL in an encrypted format. After the driver has initialized, it will extract the DLL from the file into dynamically allocated memory, maps the memory to the address space of services.exe, and prepares the mapped image for execution. Then, it queues an Asynchronous Procedure Call for services.exe to execute it in its context. The DLL is a spamtool with backdoor capabilities.

More Support

Community

Ask questions in our Community.

User guides

Check the user guide for instructions.

Contact Support

Chat with with or call an agent.

Submit a Sample

Submit a file or URL for analysis.