Rustock.B (aka Mailbot, Clicker, Costrat, …) is a well-known malicious code that we have covered in this blog through several posts, and we came across it in every different computer scenarios: customers, friends, family and of course, analyzing its main features at work. Its aim is to send spam email (remember McColo?) hiding some of its files by hooking typical APIs:
Rustock.B is an old piece of software (2006) that didn’t follow a security development lifecycle, having the same problem than any other type of software: vulnerabilities; and it seems that the Rustock.B authors didn’t worry about that 🙂 Not only the malicious code authors, but some anti-rootkit software ones.
The vulnerability is inside the ZwOpenKey handler (remember that this function is hooked), and can be triggered when opening a registry key with more than 524 (0x20C) bytes. It is not so common to have a registry key with more than 524 bytes, but it can happen in some computers (long hardware ids). In fact, you need:
- to be infected by Rustock.B
- that any process open a registry key with that length
in order to get a beautiful blue screen in Windows XP (Windows 2000 is not affected), or a bugcheck windbg screen:
The bottom line is that anytime that we are 1) infected by Rustock.B and 2) opening a big registry key, our system will halt. And that sometimes happens: any anti-rootkit software (GMER
for example) that looks for hidden registry keys will trigger the vulnerability; it is not its fault, but will freeze our Windows system. So, which is, in your opinion, the best solution for avoiding this kind of errors in anti-rootkit software? Detecting if the computer is infected with Rustock.B when scanning the registry with, for example, GMER
, and if it is, then take control of the error, or just ignore the error and crash the system?
Hat tips to Rubén, Alonso and Alfredo for finding and fixing 🙂 the vulnerability