Feb27
1:51 am (UTC-7)   |   by Edgardo Diaz, Jr. (Threats Analyst)

A malware removes rootkits? There has to be a catch here.

Our recent analysis of RTKT_PUSHU.AC reveals that this component of WORM_NUWAR, TROJ_PUSHDO/TROJ_PANDEX malware families removes previously installed rootkits by other malware but then infects the system with its own rootkit components.

The rootkit, which is basically a device driver, is dropped by a malware to remove the following hooks on the affected system:

  • System Service Dispatch Table (SSDT) Hook
  • IRP and Device Hooks for the following sys files:
    • Ntfs.sys
    • Ndis.sys
    • Tcpip.sys
    • Ipfltrdrv.sys

Removing the mentioned hooks removes Create Process Notify and Create Thread Notify routines on the affected system, hiding the malicious processes and threads executed by the malware.

This is also used as a component for updating the rootkit itself and to infect the system again with its malicious routines.

Below is an example scenario of how RTKT_PUSHU.AC executes its routines:

The first screenshot shows two rootkits that have been installed on the system. WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA hooks SSDT for file and registry hiding. RUNTIME.SYS on the other hand is detected by Trend Micro as TROJ_ROOTKIT.DU and hooks IRP of TCPIP.SYS for port hiding. Also shown is RTKT_PUSHU.AC, also installed on the system as IP6FW.SYS.

TROJ_DORF.AA,TROJ_ROOTKIT.DU,RTKT_PUSHU.AC

Upon execution, TROJ_DORF.AA and TROJ_ROOTKIT.DU goes into action:

TROJ_DORF.AA hooks the SSDT as shown below. This fakes outputs of function calls made to the services provided by NTOSKRNL. Doing this enables the rootkit to hide certain processes and files on the affected system.

TROJ_DORF.AA

As a result, the file WINCOM32.SYS, detected by Trend Micro as TROJ_DORF.AA is now unseen, as shown in the screenshot below:

TROJ_DORF.AA

On the other hand, TROJ_ROOTKIT.DU hooks IRPs related to TCPIP.SYS, as shown in the following screenshot:

TROJ_ROOTKIT.DU

As a result, TCP ports on the affected system are now hidden:

TROJ_ROOTKIT.DU

Now, upon the execution of RTKT_PUSHU.AC, the hooks on SSDT are no longer there:

RTKT_PUSHU.AC

So the file WINCOM32.SYS detected as TROJ_DORF.AA is now visible again:

TROJ_DORF.AA

The IRP hooks related to TCPIP.SYS are gone as well:

TROJ_ROOTKIT.DU

This results to the revelation of the previously hidden ports:

TROJ_ROOTKIT.DU

The catch: RTKT_PUSHU.AC actually disables other rootkits previously installed on the system, but only to infect the system with its own rootkit components or update components previously installed on the system.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Wednesday, February 27th, 2008 at 1:51 am and is filed under Security . Responses are closed, but you can trackback from your own site.



One Response to “RTKT_PUSHU.AC – Rootkit Remover?”

Trackbacks

  1. War of the World : VXers | WARLOCK

Botnet Gang in Quebec Set to Appear in Court Today
“Live or Die” – Part 2


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice