Mailbot.AZ

Classification

Category :

Backdoor

Type :

Rootkit

Aliases :

Mailbot.AZ, SpamTool.Win32.Mailbot.az, Backdoor.Rustock.A, BKDR_RUSTOCK.A

Summary

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities.

Removal

To remove the infection, perform the following steps:

  • Reboot your system using the Windows Recovery Console (using your Windows installation CD - click on the hyperlink for details).
  • Copy a non-executable file from the Windows directory over the Alternate Data Stream.
  • copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Installation to the system

Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.

When the rootkit driver is executed, it creates a copy of itself to an Alternate Data Stream - %SystemRoot%\system32:[random_number]. However, since the code does not seed the pseudorandom-number generator (code bug), the alternate data stream is always created as:

  • %SystemRoot%\System32:18467

If the file system does not support Alternate Data Streams, the driver is installed to:

  • %SystemRoot%\System32\Drivers\pe386.sys

To survive reboot the rootkit adds the following launch point to the registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

with the following values:

  • DisplayName = Win23 PE files loader
  • ImagePath = \SystemRoot\System32:18467 or
  • ImagePath = \SystemRoot\System32\Drivers\pe386.sys

The registry settings make sure the driver is started very early in the boot process and it also run in safe mode. Kernel-mode payload: The rootkit takes control over the System Service Dispatcher by hooking INT 0x2E and IA32_SYSENTER_EIP MSR handler functions. A thread trying to execute any of the following system service functions will be redirected to a modified version:

  • ZwCreateKey
  • ZwDeviceIoControlFile
  • ZwEnumerateKey
  • ZwOpenKey
  • ZwQueryKey
  • ZwQuerySystemInformation
  • ZwSaveKey

These functions are hooked to hide registry keys and values used by the rootkit, and to avoid detection by certain rootkit detection software. The rootkit hooks two IRP handler functions from the driver object responsible for the file system. In the case of NTFS, it hooks the following handler functions from NTFS driver object:

  • IRP_MJ_CREATE
  • IRP_MJ_QUERY_INFORMATION

In the case of FAT, it hooks the following handler functions from Fastfat driver object:

  • IRP_MJ_CLEANUP
  • IRP_MJ_CREATE

These handler functions are hooked to hide the file or deny access to the alternate data stream. The rootkit hooks the following IRP handler functions from the Tcpip driver object:

  • IRP_MJ_CLOSE
  • IRP_MJ_CREATE
  • IRP_MJ_DEVICE_CONTROL

One purpose for these hooks is to hide any network connections initiated by the user-mode payload. The rootkit installs a notification routine for process creation. It modifies the behavior of some hooks if any of the following strings are present in loaded image's resources section:

  • BlackLight
  • Rootkitrevealer
  • Rkdetector

The rootkit driver tries to make its detection harder by performing the following "tricks":

  • Executes from dynamically allocated memory
  • Removes the driver from the loaded modules list
  • Removes the driver object from the Object Manager
  • Deletes its legacy key and any subkeys from the registry
  • Removes its service entry from the Service Control Manager

User-mode Payload: The driver file contains a user-mode DLL in an encrypted format. After the driver has initialized, it will extract the DLL from the file into dynamically allocated memory, maps the memory to the address space of services.exe, and prepares the mapped image for execution. Then, it queues an Asynchronous Procedure Call for services.exe to execute it in its context. The DLL is a spamtool with backdoor capabilities.