Threat Description

Mailbot.AZ

Details

Aliases:Mailbot.AZ, SpamTool.Win32.Mailbot.az, Backdoor.Rustock.A, BKDR_RUSTOCK.A
Category:Backdoor
Type:Rootkit
Platform:W32

Summary



Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named "services.exe". The payload is a Spamtool with backdoor capabilities.



Removal



F-Secure BlackLight Beta (Build 2.2.1041) is able to detect the hidden driver file or Alternate Data Stream. To remove the infection, perform the following steps:

  • Reboot your system using the Windows Recovery Console (using your Windows installation CD - click on the hyperlink for details).
  • Copy a non-executable file from the Windows directory over the Alternate Data Stream.
For example, run the following command:

  • copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.



Technical Details



Installation to the system

Mailbot.AZ is usually installed to the system by a separate dropper component, detected as Trojan-Dropper.Win32.Small.ape. When the dropper is executed, it drops the rootkit driver to %TEMP%\pe386.sys and runs it. After installation, the dropper deletes itself from the system.

When the rootkit driver is executed, it creates a copy of itself to an Alternate Data Stream - %SystemRoot%\system32:[random_number]. However, since the code does not seed the pseudorandom-number generator (code bug), the alternate data stream is always created as:

  • %SystemRoot%\System32:18467

If the file system does not support Alternate Data Streams, the driver is installed to:

  • %SystemRoot%\System32\Drivers\pe386.sys

To survive reboot the rootkit adds the following launch point to the registry:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pe386

with the following values:

  • DisplayName = Win23 PE files loader
  • ImagePath = \SystemRoot\System32:18467 or
  • ImagePath = \SystemRoot\System32\Drivers\pe386.sys

The registry settings make sure the driver is started very early in the boot process and it also run in safe mode. Kernel-mode payload: The rootkit takes control over the System Service Dispatcher by hooking INT 0x2E and IA32_SYSENTER_EIP MSR handler functions. A thread trying to execute any of the following system service functions will be redirected to a modified version:

  • ZwCreateKey
  • ZwDeviceIoControlFile
  • ZwEnumerateKey
  • ZwOpenKey
  • ZwQueryKey
  • ZwQuerySystemInformation
  • ZwSaveKey

These functions are hooked to hide registry keys and values used by the rootkit, and to avoid detection by certain rootkit detection software. The rootkit hooks two IRP handler functions from the driver object responsible for the file system. In the case of NTFS, it hooks the following handler functions from NTFS driver object:

  • IRP_MJ_CREATE
  • IRP_MJ_QUERY_INFORMATION

In the case of FAT, it hooks the following handler functions from Fastfat driver object:

  • IRP_MJ_CLEANUP
  • IRP_MJ_CREATE

These handler functions are hooked to hide the file or deny access to the alternate data stream. The rootkit hooks the following IRP handler functions from the Tcpip driver object:

  • IRP_MJ_CLOSE
  • IRP_MJ_CREATE
  • IRP_MJ_DEVICE_CONTROL

One purpose for these hooks is to hide any network connections initiated by the user-mode payload. The rootkit installs a notification routine for process creation. It modifies the behavior of some hooks if any of the following strings are present in loaded image’s resources section:

  • BlackLight
  • Rootkitrevealer
  • Rkdetector

The rootkit driver tries to make its detection harder by performing the following "tricks":

  • Executes from dynamically allocated memory
  • Removes the driver from the loaded modules list
  • Removes the driver object from the Object Manager
  • Deletes its legacy key and any subkeys from the registry
  • Removes its service entry from the Service Control Manager

User-mode Payload: The driver file contains a user-mode DLL in an encrypted format. After the driver has initialized, it will extract the DLL from the file into dynamically allocated memory, maps the memory to the address space of services.exe, and prepares the mapped image for execution. Then, it queues an Asynchronous Procedure Call for services.exe to execute it in its context. The DLL is a spamtool with backdoor capabilities.



Detection


F-Secure Anti-Virus detects this malware with the following updates:
Detection Type: PC
Database: 2006-05-28_02




SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More