Rovnix Reloaded: new step of evolution
(Publication) Google search: [1]
Rovnix Reloaded: new step of evolution | |
---|---|
Botnet | Carberp |
Malware | Rovnix, Carberp_(bot), TDL3, TDL3+, TDL4, Olmasco, ZeroAccess |
Botnet/malware group | |
Exploit kits | Blackhole |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / February 22, 2012 |
Editor/Conference | ESET |
Link | http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution blog.eset.com (blog.eset.com Archive copy) |
Author | David Harley, Aleksandr Matrosov, Eugene Rodionov |
Type |
Abstract
“ In the beginning of February we found a new modification of our “old friend” Win32/Rovnix (the dropper detected as Win32/Rovnix.B trojan), which is the first bootkit using VBR (Volume Boot Record) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking trojan in Russia. You can get more information about modern Carberp evolution facts in our forthcoming presentation “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” at CARO 2012.
And now we are seeing a new step of evolution for the Rovnix bootkit family.
We can see interesting tracking strings in the unpacked dropper:
The version has been changed to 2.1, but we’ve seen the same strings before in the Win32/Carberp dropper with bootkit, allowing us to draw some conclusions:
In the Win32/Carberp dropper we’ve seen version number 2.1 among debugging strings but in the latest samples version 2.5 is used.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR900, editor = {ESET}, author = {David Harley, Aleksandr Matrosov, Eugene Rodionov}, title = {Rovnix Reloaded: new step of evolution}, date = {22}, month = Feb, year = {2012}, howpublished = {\url{http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution blog.eset.com}}, }