'I can't go back to yesterday, because I was a different person then'
Chun Feng Microsoft
download slides (PDF)
System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back
to a pre-preserved 'good' state after being affected by malware or other threats to system integrity. As these restore
facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches
into the depths of the affected machine and targets the file system driver.
In early 2008, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware,
named Win32/Dogrobot is designed deliberately to penetrate a 'hard disk recovery card', hardware widely used by
Internet cafés in China. Surprisingly, Dogrobot has caused more than 8 billion RMB (around 1.2 billion USD) in
losses to Internet cafés in China. (This cost is far beyond that created by the notorious virus Win32/Viking).
This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate
System Restore on Windows systems, covering penetration from the Windows volume management layer used by
early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely
examines Dogrobot's propagation methods, including the use of a zero-day exploit and ARP spoofing.
What is the significance of Dogrobot's selection of Internet cafés as its chosen targets? And what is the final
goal of this malware? This paper answers these questions and elaborates on the clandestine relationship between Dogrobot
and the black market for online games passwords.