Rovnix.D: the code injection story

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Rovnix.D: the code injection story
Rovnix.D Story.png
Botnet Rovnix
Malware Rovnix.D
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / July 27 2012
Editor/Conference ESET
Link http://blog.eset.com/2012/07/27/rovnix-d-the-code-injection-story blog.eset.com (blog.eset.com Archive copy)
Author Aleksandr Matrosov
Type

Abstract

In the one of my previous blog posts I described the bootkit functionality included in modifications found in new Rovnix.D samples (Rovnix bootkit framework updated), but further detailed analysis uncovered some interesting updates to the code injection technique employed. During the Rovnix.D code analysis process we found algorithms for multiple code injections with a range of payloads. In previous versions Rovnix worked with a single payload, and the Rovnix developer concentrated on the sales framework for that specific payload. In the new version we see multiple code injections into user-mode processes launched from hidden storage, opening up more ways in which the botnet can be leased. But right now we aren’t aware of large botnets based on Rovnix.D, and the C&C indicates that the number of currently active bots is 8,417.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1071,
   editor = {ESET},
   author = {Aleksandr Matrosov},
   title = {Rovnix.D: the code injection story},
   date = {27},
   month = Jul,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/07/27/rovnix-d-the-code-injection-story blog.eset.com}},
 }