Hijacking Windows System Restore for cybercrime profits

Hijacking Windows System Restore for cybercrime profits

Summary: Hackers in China are using a combination of sophisticated techniques to penetrate the hard disk recovery card on computers in Internet cafes to steal billions of dollars worth of online gaming credentials.


GENEVA -- Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.

According to Microsoft anti-virus researcher Chun Feng (left), five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows -- effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.

At the Virus Bulletin 2009 conference here, Feng provided a fascinating look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property.

According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes.

He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a "backdoor" that already exists in the System Restore functionality.  A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal.

Along the way, Feng discovered that newer variants were tweaked to get around security software and strengthen the code's ability to maintain persistent stealth on compromised Windows computers.

In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm.  Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate.

He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software -- especially RealPlayer and WebThunder.

The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.

Topics: Mobility, CXO, Malware, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • welp.... they are finally getting a taste of their own crap.

    I wonder what they are doing. We use steadystate on all of our machines. Reboot the machine and everything is restored.

    Maybe they should move from a PC based environment to a terminal server like system. Each reboot loads a completely new OS. I guess the only thing they could attack at that point would be memory.
    • Terminal Server???

      Why would you want a central point of failure for your entire setup?

      A terminal server DOES NOT load a completely new OS at each reboot.

      This malware would just infect the underlying OS and record all input anyway.

      Also, since there are not any 3D capabilites on terminal server based systems, the companies would lose a ton of their customers who come in to play games.... probebly Starcraft ;-)

      Anywho, using SteadyState will not protect against this, there are special rules that SteadyState gives to the System Restore process... and since this malware uses backdoord built into System Restore, you are not really protected at all.

      The problem is that people assume a good firewall, anti-virus, being updated with all security updates, and programs like SteadyState will infact protect them from everything. This is wrong, you still have to be smart when doing anything online.

      It's like Fort Knox... all the security in the world will not make a difference if someone opens the front door and invites the bad guy in ;-)
      • Exactly. The solution is to stop opening the front door (using windows).

  • Win System Restore protection?

    Great article, but stopped short of being practical..

    Now that we know the problem, what security measures will
    protect us?
    • Good question...

      That would be a nice piece of information to know...

      I wonder if it would be as simple as disabling System Restore and then disabling the service associated with it?

      Or maybe the backdoor is not in the service, but in the way the service interfaces with lower level processes...

      Either way, an update with tips to avoid this malware would be appreciated.
      • System restore

        This Feature has been atomatically integrated with Windows 7, How will you shut this off unless Microsoft allows the OS to do so? Just Curious.

        I know older systems you can disable it. I have. the only thing is when a setting gets changed I have to start from Scratch just like an out of the box state.
        PC Medicalist
        • Vista and 7

          SR can be disabled for each of these OSs. I have turned them off on my images.
          • AV Vendors

            I have had AV vendors recommend I disable it too. Strangely enough, even though it has saved my arse a number of times, they say it works against cleanup efforts. Seeing as a goot rootkit will bitch-slap both system resore AND the average AV app, I would say yes to disabling it anyway.
          • The issue isn't system restore

            The issue is that EVEN system restore cannot get the machine back to previous state. System restore is perfectly great to have if you ever get a bad device driver you need to roll back. No point disabling it unless you are already infected
          • Actually

            it is a system restore issue. the virus gets into the system restore, so once the system is cleaned when rebooted it restores the virus to the computer, what you have to do is cycle the system restore, you turn it off, reboot the computer, it'll delete all the system restore files, then run your scans and things of that nature that way the virus will not continue to reappear. I'm sure you're all intelligent enough to figure out where to turn it off or find out how.
          • Sorry, turning off system restore won't save Windows from this exploit.

            It can still be infected even if you completely
            disable system restore.

            The only time system restore would come into the
            equation would be if you got infected, cleaned the
            infection, and then restored back to when it was
            infected, which wouldn't be wise.
      • By avoiding the afflicted OS.

        • LOL -- Linux gaming

          So far MMO game makers have avoided Linux like the plague. THere are only a handful of sophisticated modern games that run on Linux. There are reasons - especially installation conflicts and problems for the hundreds of distribution.

          And MACs? LOL! While there are no lack of games -- This is one area most the world knows MACs are no less vulnerable to hacking than Windows. Given sufficient motive (gaming money) MACs are easily hackable. MACs just lack the large group of vandals who hate the OS or its billionaire owner on general purposes.
          • On the contrary..

            Most of the games that this is targeted at (MMOs)
            run fine on *nix systems, either natively or under
    • Don't use Admin accounts

      The first step in security is to not use more privilege level than you need. I'd put the users on non-Admin accounts. Being a big fan of Software Restriction Policy, I'd deploy that as well (in disallowed-by-default mode).

      Noting the USB attack vector, I'd also restrict AutoPlay, either with the new update that's just been released, or the old-fashioned way.
    • n System Restore protection

      Switch operating systems. That will protect you from this exploit.
    • Avoid public computers.

      Avoid public computers. Bring a laptop.
    • Solution: uninstall windows, and get a real OS.

      • Message has been deleted.

        Kyser Soze
        • All I did was post the solution to the problem.

          When the vulnerability is in the kernel of an OS,
          and that kernel is closed-source like Windows',
          the only way to avoid it is to avoid the OS. Now
          take your pointless name-calling and go somewhere