On CHOW: The most delicious sandwiches
BNET Business Network:
BNET
TechRepublic
ZDNet

September 23rd, 2009

Hijacking Windows System Restore for cybercrime profits

Posted by Ryan Naraine @ 9:30 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Locally Running Web Servers, Malware, Passwords, Patch Watch, Phishing, Responsible disclosure, Rootkits

Tags: Technique, System Restore, Malware, Online Game, Dogrobot, Spyware, Adware & Malware, Cyberthreats, Productivity, Rootkits, Games

GENEVA — Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.

According to Microsoft anti-virus researcher Chun Feng (left), five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows — effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.

At the Virus Bulletin 2009 conference here, Feng provided a fascinating look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property.

According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes.

He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a “backdoor” that already exists in the System Restore functionality.  A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal.

Along the way, Feng discovered that newer variants were tweaked to get around security software and strengthen the code’s ability to maintain persistent stealth on compromised Windows computers.

In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm.  Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate.

He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software — especially RealPlayer and WebThunder.

The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 56 Talkback(s)
Sorry, turning off system restore won't save Windows from this exploit.
It can still be infected even if you completely
disable system restore.

The only time system restore would come into the
equation would be if you got infected, cleaned the
infection, and then restored back to when it was
infected, which wouldn't be wise.... (Read the rest)
Posted by: AzuMao Posted on: 10/02/09 You are currently: a Guest | | Terms of Use
welp.... they are finally getting a taste of their own crap.  Been_Done_Before | 09/23/09
Terminal Server???  duomenox | 09/23/09
Exactly. The solution is to stop opening the front door (using windows).  AzuMao | 09/28/09
Win System Restore protection?  rroberto18 | 09/23/09
Good question...  duomenox | 09/23/09
System restore  PC Medicalist | 09/23/09
Vista and 7  djzoey | 09/23/09
AV Vendors  djmik | 09/23/09
The issue isn't system restore  laxamar | 09/23/09
Actually  OneTwoc21 | 09/23/09
Sorry, turning off system restore won't save Windows from this exploit.  AzuMao | 10/02/09
By avoiding the afflicted OS.  AzuMao | 09/28/09
LOL -- Linux gaming  wellduh | 09/29/09
On the contrary..  AzuMao | 09/29/09
Don't use Admin accounts  mechBgon | 09/23/09
n System Restore protection  gertruded | 09/23/09
Avoid public computers.  CobraA1 | 09/23/09
Solution: uninstall windows, and get a real OS.  AzuMao | 09/28/09
Message has been deleted.  Kyser Soze | 09/30/09
All I did was post the solution to the problem.  AzuMao | 09/30/09
RE: Hijacking Windows System Restore for cybercrime profits  duomenox | 09/23/09
Google is your friend...  RicD_ | 09/23/09
Older systems  PC Medicalist | 09/23/09
Better do another search  tranquilitybase | 09/23/09
RE: Hijacking Windows System Restore for cybercrime profits  richard233 | 09/23/09
Never Use Windows System Restore...  djzoey | 09/23/09
RE: Hijacking Windows System Restore for cybercrime profits  ator1940 | 09/23/09
Right!!!  gantoris | 09/23/09
RE: Hijacking Windows System Restore for cybercrime profits  barbwager | 09/23/09
RE: Hijacking Windows System Restore for cybercrime profits  barbwager | 09/23/09
RE: Hijacking Windows System Restore for cybercrime profits  dshcpa | 09/23/09
Better still, never use Windows.  mrgoose | 09/23/09
never use Windows??  gertruded | 09/23/09
Never say never  tranquilitybase | 09/23/09
Then Insist on a More Secure OS  cpt_slog@... | 09/26/09
Better still, use Windows but be smart.  BrewmanNH | 09/23/09
That's assuming a lot from internet cafe users  mrgoose | 09/24/09
Beat me to it  Greenknight_z | 09/24/09
3D acceleration in a VM?  mechBgon | 09/24/09
Better still, never use Windows.  Franciscus101 | 09/28/09
It Doesn't Matter to Me...  melekali | 09/23/09
RE: In Response To ((Just one more reason to switch to Linux, or MAC.))  Synate.Deszeld | 09/23/09
switch to MAC? I think not  lachgil | 09/23/09
All OS's have design flaws just waiting to be exploited.  invmgr@... | 09/25/09
Safety by Anonymity?  FiOS-Dave | 09/25/09
A Fix in The Far Future?  milldogtjm | 09/24/09
RE: Hijacking Windows System Restore for cybercrime profits  dishnetman | 09/24/09
RE: Hijacking Windows System Restore for cybercrime profits  Kode Kyk | 09/24/09
RE: Hijacking Windows System Restore for cybercrime profits  Earthling2 | 09/24/09
How AppGuard Stops Dogrobot  eiverson@... | 09/24/09
Re: Google is your friend...  catmedia | 09/25/09
RE: Hijacking Windows System Restore for cybercrime profits  stenman@... | 09/25/09
RE: Hijacking Windows System Restore for cybercrime profits  philopalot | 09/26/09
RE: Hijacking Windows System Restore for cybercrime profits  philopalot | 09/26/09
RE: Hijacking Windows System Restore for cybercrime profits  rMatey | 09/28/09
For Your Information.  Synate.Deszeld | 10/01/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

  • Thought-provoking progressive ideas on diverse topics that intersect with technology, business, and life, and matter to the world at large. Visit SmartPlanet
  • More from IBM
  • Innovate your business' process model, play against the market, compete against others on our scoreboards and WIN! Try INNOV8 2.0: A BPM Simulator
  • Enabling Real-World Business Transformation through IBM Service Management Read the EMA Analyst Report
Click Here