Don't touch my Rustock.B

Rustock.B (aka Mailbot, Clicker, Costrat, …) is a well-known malicious code that we have covered in this blog through several posts, and we came across it in every different computer scenarios: customers, friends, family and of course, analyzing its main features at work. Its aim is to send spam email (remember McColo?) hiding some of its files by hooking typical APIs:

  • ZwOpenKey
  • ZwEnumerateKey
  • ZwQueryKey
  • ZwCreateKey
  • ZwSaveKey
  • ZwDeviceIoControlFile
  • ZwQuerySystemInformation
  • ZwInitializeRegistry
Rustock.B is an old piece of software (2006) that didn’t follow a security development lifecycle, having the same problem than any other type of software: vulnerabilities; and it seems that the Rustock.B authors didn’t worry about that 🙂 Not only the malicious code authors, but some anti-rootkit software ones.
The vulnerability is inside the ZwOpenKey handler (remember that this function is hooked), and can be triggered when opening a registry key with more than 524 (0x20C) bytes. It is not so common to have a registry key with more than 524 bytes, but it can happen in some computers (long hardware ids). In fact, you need:
  • to be infected by Rustock.B
  • that any process open a registry key with that length
in order to get a beautiful blue screen in Windows XP (Windows 2000 is not affected), or a bugcheck windbg screen:
The bottom line is that anytime that we are 1) infected by Rustock.B and 2) opening a big registry key, our system will halt. And that sometimes happens: any anti-rootkit software (GMER for example) that looks for hidden registry keys will trigger the vulnerability; it is not its fault, but will freeze our Windows system. So, which is, in your opinion, the best solution for avoiding this kind of errors in anti-rootkit software? Detecting if the computer is infected with Rustock.B when scanning the registry with, for example, GMER, and if it is, then take control of the error, or just ignore the error and crash the system?
Hat tips to Rubén, Alonso and Alfredo for finding and fixing 🙂 the vulnerability
David Barroso
S21sec e-crime

Deja un comentario