Avast WEBforum

Other => General Topics => Topic started by: polonus on September 24, 2009, 08:58:11 PM

Title: Hackers hijack Windows System Restore through rootkit
Post by: polonus on September 24, 2009, 08:58:11 PM

Hi malware fighters,

Chinese cybercrime gangs hijack the system restore function in Windows on a grand scale to infect computers in Internet cafe's permanently and so steal hundred of million of dollars' worth of data. In China lots of people do not own a computer and therefore use the machines of a local Internet cafe. With every new login the system is restored and cleansed. Dogrobot malware enables attackers to survive this fresh reboot and eventually steal online gamers login data.

According to Microsoft Dogrobot has already created 1,2 billion dollar of damage in Chinese Internet cafe's
: http://blogs.zdnet.com/security/?p=4423
Until now five generations of the malware has appeared, consisting of a collection of zero-day leaks, rootkits and ARP spoofing techniques to infect systems and steal data. Dogrobot uses disk-level I/O file manipulation to penetrate Windows system restore function, but the second generation uses a "backdoor" already present in System Restore, according to Microsoft's anti-virus researcher Chun Feng.  More info on this existing backdoor in XP see: http://forum.emsisoft.com/default.aspx?g=posts&t=2787
The third generation had unhooking code to circumvent security program protection and removal, according to Feng at the VirusBulletin conference at Geneva.

USB-stick/pendrive
To be able to play online Chinese carry their log-on data around on a USB-stick. This is also being abused by Dogrobot by spreading via the AutoRun functionality. The malcode is so successful because it uses a variety of  ActiveX, Windows, RealPlayer and WebThunder exploits. Moreover it uses ARP cache poisoning, sending malicious ARP parcels to the local network to have other machines also download and install Dogrobot malware. analysis: http://vil.nai.com/vil/content/v_207561.htm

polonus

P.S. avast detects the malware as Win32.Dogrobot

Title: Re: Hackers hijack Windows System Restore through rootkit
Post by: igor on September 25, 2009, 01:19:46 PM

Polonus, where did you get this information from? ;)

Actually, it's a bit different; the talk, and the "hijacking", has nothing to do with Windows System Restore - it targets a special (hardware) card used to restore the system, used e.g. in Internet cafes (especially in China).

Title: Re: Hackers hijack Windows System Restore through rootkit
Post by: polonus on September 25, 2009, 01:36:35 PM

Hi Igor,

The integral Dutch text that I translated for our forums can be found here: http://www.security.nl/artikel/30989/1/Hackers_kapen_Windows_Systeemherstel_met_rootkit.html
The bit about hijacking Windows System Restore, you can find here:
http://blogs.zdnet.com/security/?p=4423
If the info is misrepresented there, I am anxious to know,

polonus