Rovnix bootkit framework updated
Revision as of 00:48, 31 July 2015 by Eric.freyssinet (talk | contribs)
(Publication) Google search: [1]
Rovnix bootkit framework updated | |
---|---|
Botnet | Rovnix |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / July 14, 2012 |
Editor/Conference | ESET |
Link | http://blog.eset.com/2012/07/13/rovnix-bootkit-framework-updated (Archive copy) |
Author | Aleksandr Matrosov |
Type |
Abstract
“ We have been tracking the activity of the Rovnix bootkit family since April 2011. Rovnix was the first bookit family to use VBR (Volume Boot Record) infection (NTFS bootstrap code) for loading unsigned kernel-mode drivers on x64 (64 bit) platforms. The reason for exploring further is the desire of the Rovnix developers to bypass antivirus detection. The payload of the first samples in the wild blocked internet connection for Russian users and forced them to send an SMS to a premium number in order to get their connection unblocked (Hasta La Vista, Bootkit: Exploiting the VBR).
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1068, editor = {ESET}, author = {Aleksandr Matrosov}, title = {Rovnix bootkit framework updated}, date = {14}, month = Jul, year = {2012}, howpublished = {\url{http://blog.eset.com/2012/07/13/rovnix-bootkit-framework-updated}}, }