Rovnix.D: the code injection story
(Publication) Google search: [1]
| Rovnix.D: the code injection story | |
|---|---|
| |
| Botnet | Rovnix |
| Malware | Rovnix.D |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / July 27 2012 |
| Editor/Conference | ESET |
| Link | http://blog.eset.com/2012/07/27/rovnix-d-the-code-injection-story blog.eset.com (blog.eset.com Archive copy) |
| Author | Aleksandr Matrosov |
| Type | |
Abstract
“ In the one of my previous blog posts I described the bootkit functionality included in modifications found in new Rovnix.D samples (Rovnix bootkit framework updated), but further detailed analysis uncovered some interesting updates to the code injection technique employed. During the Rovnix.D code analysis process we found algorithms for multiple code injections with a range of payloads. In previous versions Rovnix worked with a single payload, and the Rovnix developer concentrated on the sales framework for that specific payload. In the new version we see multiple code injections into user-mode processes launched from hidden storage, opening up more ways in which the botnet can be leased. But right now we aren’t aware of large botnets based on Rovnix.D, and the C&C indicates that the number of currently active bots is 8,417.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1071,
editor = {ESET},
author = {Aleksandr Matrosov},
title = {Rovnix.D: the code injection story},
date = {27},
month = Jul,
year = {2012},
howpublished = {\url{http://blog.eset.com/2012/07/27/rovnix-d-the-code-injection-story blog.eset.com}},
}