Rovnix Reloaded: new step of evolution

Jump to navigation Jump to search

(Publication) Google search: [1]

Rovnix Reloaded: new step of evolution
Rovnixb eset.png
Botnet Carberp
Malware Rovnix, Carberp_(bot), TDL3, TDL3+, TDL4, Olmasco, ZeroAccess
Botnet/malware group
Exploit kits Blackhole
Distribution vector
Operation/Working group
Date 2012 / February 22, 2012
Editor/Conference ESET
Link ( Archive copy)
Author David Harley, Aleksandr Matrosov, Eugene Rodionov


In the beginning of February we found a new modification of our “old friend” Win32/Rovnix (the dropper detected as Win32/Rovnix.B trojan), which is the first bootkit using VBR (Volume Boot Record) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking trojan in Russia. You can get more information about modern Carberp evolution facts in our forthcoming presentation “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” at CARO 2012.

And now we are seeing a new step of evolution for the Rovnix bootkit family.

We can see interesting tracking strings in the unpacked dropper:

The version has been changed to 2.1, but we’ve seen the same strings before in the Win32/Carberp dropper with bootkit, allowing us to draw some conclusions:

In the Win32/Carberp dropper we’ve seen version number 2.1 among debugging strings but in the latest samples version 2.5 is used.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR900,
   editor = {ESET},
   author = {David Harley, Aleksandr Matrosov, Eugene Rodionov},
   title = {Rovnix Reloaded: new step of evolution},
   date = {22},
   month = Feb,
   year = {2012},
   howpublished = {\url{}},