'I can't go back to yesterday, because I was a different person then'

Chun Feng Microsoft

System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back to a pre-preserved 'good' state after being affected by malware or other threats to system integrity. As these restore facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches into the depths of the affected machine and targets the file system driver.

In early 2008, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware, named Win32/Dogrobot is designed deliberately to penetrate a 'hard disk recovery card', hardware widely used by Internet cafés in China. Surprisingly, Dogrobot has caused more than 8 billion RMB (around 1.2 billion USD) in losses to Internet cafés in China. (This cost is far beyond that created by the notorious virus Win32/Viking).

This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate System Restore on Windows systems, covering penetration from the Windows volume management layer used by early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely examines Dogrobot's propagation methods, including the use of a zero-day exploit and ARP spoofing.

What is the significance of Dogrobot's selection of Internet cafés as its chosen targets? And what is the final goal of this malware? This paper answers these questions and elaborates on the clandestine relationship between Dogrobot and the black market for online games passwords.

 del.icio.us  digg this! digg this

Quick Links

Should software vendors extend support for their products on Windows XP beyond the end-of-life of the operating system?
Yes - it keeps their users secure
No - it encourages users to continue to use a less secure OS
I don't know
Leave a comment
View 23 comments

SMI Oil and Gas Cyber Security 2014

VB100 certification
VB100 For the first time in living memory, this test saw a clean sweep of certification passes, with all products reaching the required standard for a VB100 badge, and most also doing well in terms of stability.
See full results.

Virus Bulletin currently has 231,289 registered users.