Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Hijacking Windows System Restore for cybercrime profit

28 Sep 2009   #1

Windows 7 Pro & Vista Home Premium
Hijacking Windows System Restore for cybercrime profit

Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits, and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials.

According to a Microsoft anti-virus researcher, five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows — effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state.

At the Virus Bulletin 2009 conference in Geneva, he provided a look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property. According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes. He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using
a “backdoor” that already exists in the System Restore functionality.

A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal. Along the way, he discovered that newer variants were tweaked to get around security software and strengthen the code’s ability to maintain
persistent stealth on compromised Windows computers.

In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm. Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate. He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software — especially RealPlayer and
WebThunder. The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples.

More........Hijacking Windows System Restore for cybercrime profits | Zero Day |
My System SpecsSystem Spec

Thread Tools

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd

All times are GMT -5. The time now is 09:49 PM.
Twitter Facebook Google+

Windows 7 Forums

Seven Forums Android App Seven Forums IOS App

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33