Rootkits are software code designed to hide from detection. So Kaspersky Lab's hunt for the elusive Rustock.C rootkit, rumored to exist for almost two years, reads like a detective plot.
Alexander Gostev, Kaspersky Lab's senior virus analyst, tells the tale in his blog Tuesday on Viruslist. According to Gostev, the Russian security firm Dr. Web in early May announced its experts had obtained a sample of Rustock.C in March but the sample it shared with the rest of the antivirus community lacked a 'dropper', the file designed to install the rootkit on the system.
"The sample of the rootkit's body distributed by Dr. Web was a 244,448-byte Windows driver," Gostev writes in his blog "Rustock and All That".
If the dropper had been provided, "this file could have significantly simplified the work carried out by other antivirus laboratories to analyze the rootkit and develop procedures to detect and treat Rustock.C. It might also have helped to clarify how the rootkit had originally spread."
The rootkit, the third variant in the Rustock series, hadn't been known to exist "in the wild," according to Kaspersky, so antivirus experts pondered the possibility that Rustock.C was nothing more than a "collector's item" and not widespread, which would have explained the time taken to find it.
Kaspersky Lab started in-depth analysis of the rootkit's encrypted code on May 12. After cracking the key, Kaspersky could view portions of the real code of Rostock.C on May 14.
By May 20, Kaspersky Lab had come up with its own methods for detection and treatment of the third Rustock. As part of the analysis, Kaspersky discovered it had 600 files that had been caught in its honeypots at different times after September 2007, and now believes that the rumors of Rustock.C as far back as 2006 "was created after a promotion of sorts in rootkit researcher circles -- possibly in response to the hysteria that accompanied the search for it," Gostev writes.
Kaspersky has identified four modifications of Rustock.C. The rootkit code works as a spambot, extracting the DLL from its body and executing it in the system memory of the target computer (it exists only in RAM and is never present on the hard drive in the form of a file), according to Kaspersky's analysis.
"Its purpose is to send spam from an infected computer," Gostev writes. The IP address identified belongs to hosting provider MCCOLO, "whose resources have long been used for distributing malicious programs and hosting cybercriminal sites," he adds.
About the Rustock.C rootkit, "it appears whoever created the rootkit was so confident of its effectiveness that they did not attach much importance to thwarting antivirus protection," Gostev says in his blog.
Further sleuthing led Kaspersky experts to believe that cybercrimnal groups associated with malware and botnets CoolWebSearch, IFrameBiz, Trafficadvance and LoadAdv are also associated with the creation of Rustock.C. "The group can be traced back to Russia, where most of its members undoubtedly live," Gostev writes.
Kaspersky also traced Rustock.C's dropper, which was Trojan-Downloader.Win32.Agent.DLL.
"The reconstruction of events by our experts demonstrates that the rootkit was actively spreading from September to November 2007," Gostev writes. "The use of the IFrameBiz network could ensure that it became truly widespread."
He adds: "The objective of Rustock's author was not to create an undetectable rootkit but to make analyzing the rootkit as difficult as possible once it had been detected. This would ensure that there was a certain time lag between the beginning of the rootkit's distribution and its detection by antivirus solutions."
Kaspersky Lab released procedures for the detection and treatment of infected files on May 20.
The next question, Gostev says, is whether there will be a Rustock.D. Kaspersky says it doesn't have the answer to that question, but don't be surprised if more sleuthing may be needed in the future.