Hijacking Windows System Restore for cybercrime profits – ZDNet
Latest Post | Last 10 Posts | Archives
Previous Post: Modern banker malware undermines two-factor authentication
Hijacking Windows System Restore for cybercrime profits
Posted in:
- Anti Virus
- Arbitrary Code Execution
- Botnets
- Browsers
- Complex Attacks
- Data theft
- Exploit code
- Locally Running Web Servers
- Malware
- Passwords
- Patch Watch
- Phishing
- Responsible disclosure
- Rootkits
GENEVA -- Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.
According to Microsoft anti-virus researcher Chun Feng (left), five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows -- effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.
At the Virus Bulletin 2009 conference here, Feng provided a fascinating look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property.
According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes.
He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a "backdoor" that already exists in the System Restore functionality. A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal.
Along the way, Feng discovered that newer variants were tweaked to get around security software and strengthen the code's ability to maintain persistent stealth on compromised Windows computers.
In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm. Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate.
He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software -- especially RealPlayer and WebThunder.
The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.
posted by Ryan Naraine
September 23, 2009 @ 9:30 am
Previous Post: Modern banker malware undermines two-factor authentication
Last 10 posts:
- Hijacking Windows System Restore for cybercrime profits (09-23)
- Modern banker malware undermines two-factor authentication (09-23)
- Google exec calls for ISPs to get tough on botnets (09-23)
- Scareware scammers hijack Twitter trending topics (09-23)
- From Gimmiv to Conficker: The lucrative MS08-067 flaw (09-23)
- Critical iTunes flaw exposes Mac, Windows to hacker attacks (09-22)
- Microsoft ships one-click 'workaround' for critical SMB2 flaw (09-18)
- Sun patches 'critical' StarOffice/StarSuite flaw (09-18)
- 'Bahama' botnet linked to click-fraud surge (09-18)
- PBS.org hacked, serving malware cocktail (09-18)
WordPress Mobile Edition available at alexking.org.
powered by WordPress.
