Hi Julian,

I am not intimately familiar with Rustock, but it seems that the Rustock.C variant still lives on disk but it hooks itself into ntfs.sys's IRP handlers which allows it to "lie" to any calls to functions inside that driver. So when a program (from operating system components or userland) says "give me file X", Rustock.C will return the clean copy of the file instead of the infected one.

From what I see, Rustock.C is available in both memory and on disk, it just takes knowing what you are looking for in order to find it. Like most commodity malware, there have been a number of controlled infections by researchers to lead to the observation of the behavior.

- jbc22

On Tue, Jan 8, 2013 at 1:50 PM, Julian Brown <julian@jlbprof.com> wrote:

Please forgive my noobness.

I am new to Volatility and just viewed a discussion on memory acquisition problems and the malware removing itself from the memory before it was written to file for later analysis.

Does malware such as Rustock.C leave any traces behind such as portions of the program used to "remove" itself from memory but cannot completely remove itself?

Of if not, how do the researchers know it was present? Did they do a controlled infection and watch it remove itself by other means?

Thanx

Julian

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users