brettcu at gmail.com
Wed Jan 9 07:37:23 CST 2013
I am not intimately familiar with Rustock, but it seems that the
Rustock.C variant still lives on disk but it hooks itself into ntfs.sys's
IRP handlers which allows it to "lie" to any calls to functions inside that
driver. So when a program (from operating system components or userland)
says "give me file X", Rustock.C will return the clean copy of the file
instead of the infected one.
From what I see, Rustock.C is available in both memory and on disk, it
just takes knowing what you are looking for in order to find it. Like most
commodity malware, there have been a number of controlled infections by
researchers to lead to the observation of the behavior.
On Tue, Jan 8, 2013 at 1:50 PM, Julian Brown <julian at jlbprof.com> wrote:
> Please forgive my noobness.
> I am new to Volatility and just viewed a discussion on memory acquisition
> problems and the malware removing itself from the memory before it was
> written to file for later analysis.
> Does malware such as Rustock.C leave any traces behind such as portions of
> the program used to "remove" itself from memory but cannot completely
> remove itself?
> Of if not, how do the researchers know it was present? Did they do a
> controlled infection and watch it remove itself by other means?
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users