Hijacking Windows System Restore for cybercrime profits

Hackers in China are using a combination of sophisticated techniques to penetrate the hard disk recovery card on computers in Internet cafes to steal billions of dollars worth of online gaming credentials.
Written by Ryan Naraine, Contributor

GENEVA -- Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.

According to Microsoft anti-virus researcher Chun Feng (left), five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows -- effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.

At the Virus Bulletin 2009 conference here, Feng provided a fascinating look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property.

According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes.

He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a "backdoor" that already exists in the System Restore functionality.  A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal.

Along the way, Feng discovered that newer variants were tweaked to get around security software and strengthen the code's ability to maintain persistent stealth on compromised Windows computers.

In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm.  Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate.

He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software -- especially RealPlayer and WebThunder.

The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.

Editorial standards