We keep a close eye on spam and the malware that drives spam production. Our recent report highlighted some of the worst offenders, and Rustock is without a doubt the leader of the pack. Over the last six months, the proportion of Rustock spam in our spam traps peaked to nearly 60% and it has never returned to levels lower than 20% of total spam.
Who’s the Rustock spambot that we know?
Over time, we have observed regular updates to Rustock. There is no consistent name given to it by anti-virus vendors, but recent Rustock binaries are detected by some anti-virus engines as Bubnix. The newest Rustock variant was first detected last December 2009. A month after that we observed a large influx of Rustock spam that spiked to over 50% of the spam we observed over the next few months. Though the malware may have different detection names and OS installation behavior, it employs a similar rootkit-based spamming engine, similar command and control architecture, and similar observable patterns in spam traffic.
Analysis
In our lab, we observed the Virut, Bredolab and Harnig downloader Trojans as key distributors of Rustock. These malware downloaders use a drive-by download website or spam as an infection vector. These downloaders are capable of installing multiple types of malicious programs on the infected host and one of these is a downloader agent that installs the Rustock spambot driver.
A downloader agent pulls a fake .rar package from a list of hard coded hosts. Here are some URLs from samples of the downloader:
http://173[dot]208[dot]154[dot]90/mybackup21.rar http://208[dot]110[dot]82[dot]186/mybackup21.rar http://64[dot]191[dot]38[dot]165/mybackup21.rar http://96[dot]0[dot]203[dot]114/mybackup21.rar http://76[dot]164[dot]194[dot]226/foto21.rar http://66[dot]79[dot]162[dot]86/foto21.rar http://173[dot]192[dot]135[dot]98/foto21.rar http://96[dot]0[dot]203[dot]114/foto21.rar
Encapsulated inside the downloaded file is actually an encrypted .sys kernel-mode driver of the Rustock spambot. To make the fake .rar file more realistic, the file header is formatted such that it would appear as a password-protected archive file when opened using any Rar data decompression utility tool.
The downloader agent decrypts the downloaded ”Rar” file in memory once the download is complete.
New versions of Rustock have an interesting way of infecting the host system by looking for unused .sys files . The screenshot below shows the code where the malware attempts to back up the legitimate aec.sys driver from the loopback network path \\127.0.0.1\admin$\system32\drivers\aec.sys to \\127.0.0.1\admin$\system32\drivers\aec.sys.bak. If that path fails, it backs up using the local directory path C:\Windows\system32\drivers\aec.sys to C:\Windows\system32\drivers\aec.sys.bak.
After a successful backup, the malware overwrites the original file aec.sys with the kernel-mode spambot code and executes it by starting the aec.sys service.
If the first infection attempt fails, the malware enumerates the services of the infected host by calling the ”EnumServicesStatusExA” API. By doing this, it can traverse for all other unused driver services and thus go on with the infection routine.
Spam begins after installation
The downloader agent exits after it successfully installs the kernel-mode spambot driver on the infected host. From this point, spambot driver is running as a service and attempts to connect to rr.pmtpa.wikimedia.org.
It now starts to contact go-thailand-now.com, a fast-flux domain pointing to the command and control server. What’s interesting about the go-thailand-now.com domain name is that, since it’s creation date (14th of December 2009) up to now, it has remained a key domain name the Rustock bots use to contact their control server. Here is a graphical view of this domain name DNS record:
(image courtesy of robtex.com, http://www.robtex.com/dns/go-thailand-now.com.html#graph)
After command and control initialization, the bot receives an encrypted spam template for the bot to process. Here is a screenshot where Rustock is sending a series of POST requests to a random PHP page in the control server.
The HTTP request below shows Rustock receiving an encrypted spamming template from the control server:
Another interesting quirk of recent Rustock versions is how it uses a special Wikipedia request that returns a random article. It then uses strings from the article in the spam message subject and body, in an attempt to make it more difficult for anti-spam filters.
The image below shows Rustock requesting the page /wiki/Special:Random from Wikipedia.com:
The finished product shows up like this in your inbox:
Here is another sample of Rustock spam where it uses a text from a Wikipedia page appended in the subject line:
Conclusion
Rustock is purely a spambot – no other malicious activity was observed during our analysis. The malware is updated frequently, and new features added regularly. The operation behind it focuses almost purely on Canadian Pharmacy spam campaigns. However the volume of spam this botnet operation generates is tremendous. With a staggering spam “market share” percentage, this botnet should not be taken for granted and deserves closer scrutiny.