Doctor Web, Ltd. – a Russian developer of IT-security solutions branded Dr.Web – releases a new version of Dr.Web scanner that successfully detects Win32.Ntldrbot(aka Rustock.C) and cures system files infected by the rootkit. Currently no other anti-virus can detect the malicious program.

These days the world marked the thirtieth anniversary of spam. It went a long way from an annoying advertisement of Hormel Foods canned ham to mass mailings of unsolicited mail that became a worldwide issue. Many of us notice our traffic increase for no apparent reason and experts assess up to 90 per cent of our e-mail correspondence to be completely irrelevant and irritating. Win32.Ntldrbot is one of the reasons behind the booming activity of spammers.

The main task of Win32.Ntldrbot is infecting PCs, turning them into spamming bots in botnets – vast spam mailing networks. Besides, the rootkit remains completely undetected. Supposedly, it has been doing so since October 2007! According to Secure Works, the botnet built by Rustock is the third largest and distributes around 30 billion spam messages daily, most of them are about securities and medicines.

The author of the rootkit started testing new technologies of interception of the network driver functions and hiding in a system at the end of 2005 or at the beginning of 2006, when the first beta of the malware appeared. Rustock.B also came into living in 2006. It was able to bypass firewalls and hide spam traffic. Anti-virus vendors easily detected and removed these variants of the rootkit.

However, its next variant - Win32.Ntldrbot - turned out to be a tough one: neither anti-virus companies, nor virus makers were able to obtain a sample of the malware. There is no crime without evidence. So most anti-virus vendors announced that the malware didn’t exist since none of them had found it, and there was no use searching for a myth.

Meanwhile, Win32.Ntldrbot turned out to be real.

Some anti-virus labs didn’t give up seeking the virus. Finally the intensive search gave results. Eighteen months passed before Win32.Ntldrbot has been found by analysts of Doctor Web, Ltd. at the beginning of 2008. All this time the rootkit was in the wild compromising PCs and turning them into bots. Assuming that the malware has been running free and completely invisible since October 2007 one could asses the resulting amount of infected traffic.

The virus monitoring service of Doctor Web, Ltd. found about 600 samples of the rootkit. Nobody knows how many are remaining. It took several weeks to unpack and analyze the rootkit and to improve the detection technology.

Some features of Win32.Ntldrbot

• Sophisticated polymorphic protection of the rootkit makes extraction and analysis extremely difficult.
• Implemented as a driver, it runs on the lowest kernel level.
• Protects itself, prevents runtime changes.
• Uses active anti-debugging techniques: monitors setting hardware breakpoints (DR-registers), disrupts operation of kernel-level debuggers (e.g. Syser, SoftIce). WinDbg debugger won’t work, if the rootkit is running.
• Intercepts system functions using non-standard method.
• Functions as a file-virus and infects system drivers.
• A particular sample of the rootkit becomes adjusts to the hardware of an infected machine and most likely won’t run on another computer.
• Utilizes time-triggered reinfection feature. An old infected file is cured. So the rootkit "wonders" through system drivers infecting only one at a time.
• Filters calls to an infected file, intercepts FSD-procedures of a file system driver and redirects a call to the original file instead of the infected one.
• Features anti-rootkit protection.
• Injects its library to one of the Windows system processes, so the library starts spamming. A driver is connected to the DLL using a special command transfer mechanism.