ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Hijacking Windows System Restore for cybercrime profits

By | September 23, 2009, 9:30am PDT

Summary: Hackers in China are using a combination of sophisticated techniques to penetrate the hard disk recovery card on computers in Internet cafes to steal billions of dollars worth of online gaming credentials.

GENEVA — Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.

According to Microsoft anti-virus researcher Chun Feng (left), five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows — effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.

At the Virus Bulletin 2009 conference here, Feng provided a fascinating look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property.

According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes.

He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a “backdoor” that already exists in the System Restore functionality.  A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal.

Along the way, Feng discovered that newer variants were tweaked to get around security software and strengthen the code’s ability to maintain persistent stealth on compromised Windows computers.

In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm.  Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate.

He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software — especially RealPlayer and WebThunder.

The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Technique, System Restore, Malware, Online Game, Dogrobot, Spyware, Adware & Malware, Cyberthreats, Productivity, Rootkits, Games, Viruses And Worms, Security, Personal Technology, Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

57
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Hijacking Windows System Restore for cybercrime profits
birumut Updated - 2nd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat
View in thread
0 Votes
+ -
welp.... they are finally getting a taste of their own crap.
Been_Done_Before 23rd Sep 2009
I wonder what they are doing. We use steadystate on all of our machines. Reboot the machine and everything is restored.

Maybe they should move from a PC based environment to a terminal server like system. Each reboot loads a completely new OS. I guess the only thing they could attack at that point would be memory.
0 Votes
+ -
Terminal Server???
duomenox 23rd Sep 2009
Why would you want a central point of failure for your entire setup?

A terminal server DOES NOT load a completely new OS at each reboot.

This malware would just infect the underlying OS and record all input anyway.

Also, since there are not any 3D capabilites on terminal server based systems, the companies would lose a ton of their customers who come in to play games.... probebly Starcraft wink

Anywho, using SteadyState will not protect against this, there are special rules that SteadyState gives to the System Restore process... and since this malware uses backdoord built into System Restore, you are not really protected at all.

The problem is that people assume a good firewall, anti-virus, being updated with all security updates, and programs like SteadyState will infact protect them from everything. This is wrong, you still have to be smart when doing anything online.

It's like Fort Knox... all the security in the world will not make a difference if someone opens the front door and invites the bad guy in wink
0 Votes
+ -
Win System Restore protection?
rroberto18 23rd Sep 2009
Great article, but stopped short of being practical..

Now that we know the problem, what security measures will
protect us?
0 Votes
+ -
Good question...
duomenox 23rd Sep 2009
That would be a nice piece of information to know...

I wonder if it would be as simple as disabling System Restore and then disabling the service associated with it?

Or maybe the backdoor is not in the service, but in the way the service interfaces with lower level processes...

Either way, an update with tips to avoid this malware would be appreciated.
0 Votes
+ -
System restore
PC Medicalist 23rd Sep 2009
This Feature has been atomatically integrated with Windows 7, How will you shut this off unless Microsoft allows the OS to do so? Just Curious.

I know older systems you can disable it. I have. the only thing is when a setting gets changed I have to start from Scratch just like an out of the box state.
0 Votes
+ -
Vista and 7
djzoey Updated - 23rd Sep 2009
SR can be disabled for each of these OSs. I have turned them off on my images.
0 Votes
+ -
AV Vendors
djmik 23rd Sep 2009
I have had AV vendors recommend I disable it too. Strangely enough, even though it has saved my arse a number of times, they say it works against cleanup efforts. Seeing as a goot rootkit will *****-slap both system resore AND the average AV app, I would say yes to disabling it anyway.
0 Votes
+ -
The issue isn't system restore
laxamar 23rd Sep 2009
The issue is that EVEN system restore cannot get the machine back to previous state. System restore is perfectly great to have if you ever get a bad device driver you need to roll back. No point disabling it unless you are already infected
0 Votes
+ -
Actually
OneTwoc21 23rd Sep 2009
it is a system restore issue. the virus gets into the system restore, so once the system is cleaned when rebooted it restores the virus to the computer, what you have to do is cycle the system restore, you turn it off, reboot the computer, it'll delete all the system restore files, then run your scans and things of that nature that way the virus will not continue to reappear. I'm sure you're all intelligent enough to figure out where to turn it off or find out how.
0 Votes
+ -
Sorry, turning off system restore won't save Windows from this exploit.
AzuMao 2nd Oct 2009
It can still be infected even if you completely
disable system restore.

The only time system restore would come into the
equation would be if you got infected, cleaned the
infection, and then restored back to when it was
infected, which wouldn't be wise.
0 Votes
+ -
By avoiding the afflicted OS.
AzuMao 28th Sep 2009

0 Votes
+ -
LOL -- Linux gaming
wellduh 29th Sep 2009
So far MMO game makers have avoided Linux like the plague. THere are only a handful of sophisticated modern games that run on Linux. There are reasons - especially installation conflicts and problems for the hundreds of distribution.

And MACs? LOL! While there are no lack of games -- This is one area most the world knows MACs are no less vulnerable to hacking than Windows. Given sufficient motive (gaming money) MACs are easily hackable. MACs just lack the large group of vandals who hate the OS or its billionaire owner on general purposes.
0 Votes
+ -
On the contrary..
AzuMao 29th Sep 2009
Most of the games that this is targeted at (MMOs)
run fine on *nix systems, either natively or under
WINE.
0 Votes
+ -
Don't use Admin accounts
mechBgon 23rd Sep 2009
The first step in security is to not use more privilege level than you need. I'd put the users on non-Admin accounts. Being a big fan of Software Restriction Policy, I'd deploy that as well (in disallowed-by-default mode).

Noting the USB attack vector, I'd also restrict AutoPlay, either with the new update that's just been released, or the old-fashioned way.
0 Votes
+ -
n System Restore protection
gertruded 23rd Sep 2009
Switch operating systems. That will protect you from this exploit.
0 Votes
+ -
Avoid public computers.
CobraA1 23rd Sep 2009
Avoid public computers. Bring a laptop.
0 Votes
+ -
Solution: uninstall windows, and get a real OS.
AzuMao 28th Sep 2009

0 Votes
+ -
Message has been deleted.
Kyser Soze Updated - 1st Oct 2009
  • Flagged
0 Votes
+ -
All I did was post the solution to the problem.
AzuMao 30th Sep 2009
When the vulnerability is in the kernel of an OS,
and that kernel is closed-source like Windows',
the only way to avoid it is to avoid the OS. Now
take your pointless name-calling and go somewhere
else.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
duomenox 23rd Sep 2009
"Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials."

So what is a "hard drive recovery card"?
I've never enountered one of these devices before...
0 Votes
+ -
Google is your friend...
BubbaJones_ 23rd Sep 2009
Here is one link:
http://www.elstonsystems.com/prod/hard_drive_recovery_card.html
0 Votes
+ -
Older systems
PC Medicalist 23rd Sep 2009
The new OS does not have this component, what will happen when your HDD partitions attomaticaly? You now have a System recovery as well as your OS that runs. Vista and Windows 7 is already like this.
0 Votes
+ -
Better do another search
tranquilitybase 23rd Sep 2009
I don't think he was talking about that POS. That is a PCI card. I don't people are walking into internet cafe's and installing PCI cards. He is talking about a USB token device.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
richard233 23rd Sep 2009
So, are we talking about a situation where someone can
get access to the card on the machine, or are we
talking about a USB device being plugged in and then
having the software do its thing, or are we talking
about something along the lines of pointing the
machine to a special web site where the software is
downloaded from.


To protect the computer, you need to eliminate wireless access and have keyboards locked down to prevent a password capture device being added in. Next, you need to have USB devices physically disabled
or never there in the first place. And, of course, you need to have the system wiped between users.
Possibly you could accomplish part of that by using virtual machines that are designed to increase security by being even more limited in what they are allowed to do.

None of this means squat if it turns out the guy owning the cybershop is in cahoots with the bad guys.
0 Votes
+ -
Never Use Windows System Restore...
djzoey 23rd Sep 2009
I turn this function off and use Ghost for restoring on all PC's I build and work on, has some reconfiguration afterwards, however if the PC just needs to be restored, why open up something that could be infected by using SR. Besides it takes up room on the HD and having an already clean configured Ghosted or Imaged backup of the PC, just seems better and less proan to these probably infections. You know nothing is on the PC after it's reimaged. I think System Restore is ok but I always wondered when that was going to get exploited. And also with data mining, whos to say that someones not going thru the SR data files and finding ur private and account info? Be safe, back your stuff up, Turn off System Restore and use Ghost. It's real easy.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
ator1940 23rd Sep 2009
Just one more reason to switch to Linux, or MAC.
0 Votes
+ -
Right!!!
gantoris 23rd Sep 2009
well almost, except they use the systems to play games.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
barbwager 23rd Sep 2009
Your article was lacking. What do we do now?
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
barbwager 23rd Sep 2009
So where is the solution recommendation?
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
dshcpa 23rd Sep 2009
I have been seeing this on systems since December 2008, when I first ran across it.

The only permanent fix, is to go in and disable system restore. It destroys all previous system restore points, but allows the various anti-malware tools to actually get into that part of the drive and wipe out the malware. When you are sure you have gotten rid of the remaining vestiges of the crap in the System 32 folder and the Registry, then you can turn system restore back on.
0 Votes
+ -
Better still, never use Windows.
mrgoose 23rd Sep 2009
It's hard to imagine a less appropriate OS for a cybercafe than Windows.

On the other hand, a free, Unix-like OS with rigidly enforced permissions, c/w a competent custom installer such as Remastersys eliminates this issue entirely.
0 Votes
+ -
never use Windows??
gertruded 23rd Sep 2009
Windows is a very good operating system as long as you do not use it on line. It is slower, bloated, and a memory hog, but that is not too important.
0 Votes
+ -
Never say never
tranquilitybase 23rd Sep 2009
Is this blanket statement about Windows some kind of prerequisite in every discussion thread that involves Windows? Or is it part of the EULA for MAC OS and Linux users?
WE GET IT!!! DROP IT!!!
0 Votes
+ -
Then Insist on a More Secure OS
cpt_slog@... 26th Sep 2009
Security isn't even an afterthought with Windows. Sure cover your eyes and put your fingers in your ears. "La la la la I'm not listening...."

That will keep you safe I'm sure.
0 Votes
+ -
Better still, use Windows but be smart.
BrewmanNH 23rd Sep 2009
Only one problem with that idea, the reason people actually are using them in the first place. For most people, it's playing games online, and most of the games that they want to play come out for Windows so the cafes are trying to target the largest audience so that they make more money. They're not going to go Linux because, lets face it, there's not many games that run on it. Mac has the same issue. So, they're going to run Windows like 90% of the rest of the world's computer users.
0 Votes
+ -
That's assuming a lot from internet cafe users
mrgoose Updated - 24th Sep 2009
Trouble is that in an internet cafe situation, as discussed in the original article, one is inviting "the great unwashed" off the street to come in and connect to heaven knows what. In other words, whilst some internet cafe users may be very smart, quite a lot of them may not be!

And I guess it depends on what the cafe is selling itself on. Certainly in this country, internet cafes seem predominately for folks wishing to grab their emails whilst on the move, rather than for playing computer games.

Granted, there are some rare occasions when I have an application that I cannot replace with an open source one, and that I cannot run on WINE or Crossover. This may necessitate running Windows.

However, the only way I have found to run Windows safely is in a virtual machine (VirtualBox on Ubuntu Linux actually) where I limit its access both to the internet and to the hard drives on the system. I.e. Windows is only allowed to see and interact with what I want it to see. In other words, I put Windows in a nice safe environment where it cannot hurt itself.

Which brings me back to my original comment that IMHO Windows does seem an entirely inappropriate choice for a harsh and unprotected environment such as internet cafes. If it must run Windows for whatever reason, then do it in a virtual machine so this VM can be restored at the end of each session - or at least at the end of each day.
0 Votes
+ -
Beat me to it
Greenknight_z 24th Sep 2009
Using VirtualBox is the idea I had, too. For this type of situation, where Linux is only used as a host OS, I would use a lighter-weight distro than Ubuntu, though.

It could also save money; each computer could have multiple workstations, running separate virtual machines.
0 Votes
+ -
3D acceleration in a VM?
mechBgon 24th Sep 2009
If they're running any 3D-accelerated Windows gaming, then that's not a solution, last I checked. Correct me if I'm wrong happy

In the bigger picture, I know from experience that it's easy enough to secure Windows for use by the general public; the cafe admins just need to actually get down to brass tacks and do it. Based on what the malware is doing (and succeeding at), it appears they're letting the users run loose on the systems' Admin accounts, which is foolhardy even if they do have a reimaging setup.
0 Votes
+ -
Better still, never use Windows.
Franciscus101 28th Sep 2009
Quote "On the other hand, a free, Unix-like OS with rigidly enforced permissions, c/w a competent custom installer such as Remastersys eliminates this issue entirely. " Unquote


And will this free, unix like OS allow you to play the games these people obviously want to play? Most games are built for Windows,, and, unless they will run on Wine, you can forget running those games on a Linux Machine.
0 Votes
+ -
It Doesn't Matter to Me...
melekali 23rd Sep 2009
...I have no faith in System Restore, and routinely stop and disable the service from running. I save my data separately and just reload a clean image. For me, this is the only way to operate.
0 Votes
+ -
RE: In Response To ((Just one more reason to switch to Linux, or MAC.))
Synate.Deszeld Updated - 23rd Sep 2009
All You Big Ego Mac & Linux Users Better Do
Your Research
On Security.Lately In The News All I Been
Seeing Is Macs
& Linuxes Being Compremised With More Security
Flaws Than
Windows. Its Safe To Say MAC & LINUX IS NOT
WHAT ITS ALL
CRACKED UP TO BE THEY HAVE THE SAME SECURITY
FLAWS AS
WINDOWS. THEY JUST WONT ADMIT IT FOR FEAR OF
RUNNING OFF
THERE CUSTOMERS.
0 Votes
+ -
switch to MAC? I think not
lachgil 23rd Sep 2009
I'm not interested in getting into a Windows vs. Mac vs Linux flame war here but they use windows for a reason. Internet cafes are used as afforementioned in the article by people wanting to play online games. While you're small flash games work on any platform any graphics intensive games are OS specific. Despite all its flaws the Windows OS's have the widest range PC games through the use of the popular graphics programming language Direct X. Due to licensing Direct X just isn't going to work natively in any other platform.
Sadly microsoft by design has flaws which are just waiting to be exploited.
0 Votes
+ -
All OS's have design flaws just waiting to be exploited.
invmgr@... 25th Sep 2009
Windows being 90% of the market share, is the criminal's, and 90% of everyone else's money maker for now.
0 Votes
+ -
Safety by Anonymity?
FiOS-Dave 25th Sep 2009
Microsoft has 95% of the market.
Maybe even higher in China?
The only good thing about Microsoft bashing is that it has put them on the offensive side and caused them to fine tune their protective systems way past all other OS's.
With DEP and their random addressing schemes (among others), they have the SAFEST OS there is (Win7.) Since their security is SO good, the bad guys are now aiming their cannons at Apple and Linux. Some malware makers are now offering a "bounty" for each infected Mac.
Just read the latest white papers from NSS labs and other highly respected (very neutral) companies.
Maybe it is time to change the name of Snow Leopard to Snow Ostrich...

0 Votes
+ -
A Fix in The Far Future?
milldogtjm Updated - 24th Sep 2009
Is Microsoft going to add in their Service Pack 2 for Win 7, an updated version? Or are security software vendors going to come up with a way to fix and block Dogrobot from ever getting into your computer? I hope soon before this security threat gets out of control, and causes damage here in the United States. The real problem is when are they going to come up with a way to fix it, thats the real question.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
dishnetman 24th Sep 2009
This windows vs mac vs linux is all bunch of hype! I will venture to say that Microsoft has about 70% of computer users out there, 23% are mac users (only because they can afford them and their sh*t don't stink) and the other 7% like the "free" and got used to it. So the hackers are out there finding and getting their goods off of Windows because there is so many Windows PC's out in this world.

Stop n think about this... MicroSoft makes a product, someone hacks it, now another company designs a product to thwart away the bad guys until the bad guys figure out another way to get their goods. Now if it were'nt for the bad guys, we honest folk would not need to boost the economy (good or bad) and purchase software to protect uor PC's. It's kinda like tools. Any time a manufacturer creates a new fastening part i.e. a screw, now they have to design and market a new tool in order to be able to loosen or tighten it.

Counterfet money is the same also... OK. the government can make money with all kind of different holograms and special print and strips on it; Don't you think that your average peson out in the real world can do the same or even better!

Reverse the rolls between Windows and Mac. If there were more mac's and way fewer PC's, all the hackers would be after the mac. but dont worry, some day someone is going to shoot their mouth off about how secure their Mac is and all the hackers out there are all going to re-unite and team up to destroy the Mac's. OK mac owners.... you can pick up your jaws now happy
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
Kode Kyk 24th Sep 2009
I guess Microsoft (and others) will just have to take the next step up in paranoia and make another (super)level of trust where no drivers originating outside Microsoft will be allowed. So the only software to mess up windows on this level will be MS software.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
Earthling2 24th Sep 2009
It would be interesting to know more detail about the vulnerabilities, how they are exploited and how the machines are configured. For example, are these Windows XP machines running under an admin account or fully patched 64-bit Vista with unprivileged user accounts and fully-enabled UAC?

What percentage those billions are out of the full amount of "online gaming credentials"? Is this more than, say, loss related to credit card fraud caused by vulnerabilities in that system?
0 Votes
+ -
How AppGuard Stops Dogrobot
eiverson@... Updated - 24th Sep 2009
I agree that limited user accounts (LUA) is an effective measure. Consequently, Dogrobot would require a successful privilege escalation attack to gain access to system space for Dogrobot implantation. In such circumstances, or for users that must or otherwise choose to run their computer with local admin rights, non-signature-based anti-malware tools will stop Dogrobot. I wish I could say our AppGuard security software was unique in doing so, but frankly other good products do too. Should anyone care to understand how AppGuard Technology blocks attacks such as these, below is a fairly geeky white paper:

http://www.blueridgenetworks.com/docs/AppGuard-Technology-Computer-Protection-White-Paper.pdf

No registration required.
0 Votes
+ -
RE: Hijacking Windows System Restore for cybercrime profits
birumut Updated - 2nd May 2011
Well done! Thank you very much for professional templates and community edition
seslisohbet seslichat

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix