Trojan Hides In Windows Recovery


Recommended Posts

25 September 2009, 10:16

Trojan hides in Windows Recovery

According to a report by Microsoft virus specialist Chun Feng at the Virus Bulletin malware conference in Geneva, criminals spying out users' online gaming login data in Chinese internet cafes and subsequently selling this information are said to have caused 1.2 billion US dollars in damage. The criminals use the Dogrobot trojan, which hides in the system and can even survive a Windows system recovery.

According to Chun Feng, the malware exploits a back door in the Windows system recovery and a vulnerability in the "Hard Disk Recovery Cards" that are part of many PCs in Chinese internet cafes. The cards are designed to prevent hard disk write access to avoid problems such as virus infections, and allow a system to be recovered after a problem. Excelstor's GStor-Plus offers a similar feature, but so far in Europe this type of system has not gained much acceptance.

It is now said to be the fifth incarnation of Dogrobot, which uses various root kit techniques, that is in circulation. While the first variant only compromised the Windows Volume Management Layer, the latest version reportedly hooks into the Windows IDE/ATAPI Port Driver Layer to hide there. Chun Feng didn't provide any further details, and his latest presentation in not yet available to download. The specialist already pointed out that Dogrobot can handle Hard Disk Recovery Cards at the Virus Bulletin 2008 conference.

Dogrobot is injected into PCs using vulnerabilities such as browser holes. It also uses ARP cache poisoning attacks to redirect other Windows PCs in a local network to specially crafted web pages and infect them this way. The trojan also spreads via USB flash drives.

Heise security - http://www.h-online.com/security/Trojan-hi...y--/news/114322
Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...