 |
 |
 |
| |
|
|
ESET Detected New Version Of Win32/Rovnix rootkit
 |
|
|
|
|
| |
|
Tuesday, February 28, 2012:
Researchers from global security company ESET have recently found a new modification of infamous Win32/Rovnix Trojan, a rootkit malware targeting Windows OS. Analysts expect an increase in native 64-bit malware, especially rootkits, in 2012.
Win32/Rovnix rootkit was first discovered in 2011 and it was the first bootkit using Volume Boot Record (VBR) infection. New version of Rovnix dropper has been detected by ESET as Win32/Rovnix.B trojan in the beginning of February, 2012.
Threats targeting 32- and 64-bit Windows OS become more and more complicated and sophisticated. Apart from Win32/Rovnix family, there are bootkits like TDL4 (TDSS, Alureon.DX, Olmarik) which facilitates the creation and maintenance of a botnet, ZeroAcces or Win32/Sirefef that replaces some critical files belonging to the OS and hooks kernel structures to make itself invisible to both the OS and security software. By the mid of 2011, rootkit malware had affected more than 5 mln computers worldwide, and India is among TOP-5 countries with high infection rates.
|
|
The Win32/Rovnix.B, as other rootkit droppers, is distributed by an affiliation program (Pay Per Install). Affiliates receive between $8 to $160 for every 1,000 installations of such rootkits, the price particularly in India is the lowest in the market.
Previously, Win32/Rovnix was mainly distributed from two domains – malwox.com and netox.biz – with affiliation programs. Affiliates like to choose websites for photo and video storage, games, adult content for planting malware.
When appeared in 2011, Win32/Rovnix established a new trend: modifying the VBR and Bootstrap Code. Using such a technique allowed malware to bypass many security and antivirus programs since the feature makes detecting and removing these threats more difficult. Rovnix bootkit framework has been evolving recently and the new version includes updates to the following components like malicious bootstrap code and kernel-mode driver.
“It seems that the developers of the malware haven’t wasted their time. The key features introduced in the new version are self-defense mechanisms intended to prevent the malware from being detected by antivirus software have been introduced and implementation of hidden storage to store configuration data for the payload has been added. Rovnix relies on its own mechanisms to store data which allows them to counteract forensic analysis and adds additional stealth functionality to counter antivirus software”, says David Harley, Senior Research Fellow at ESET.
Another interesting fact is that the bootkit builder for VBR bootkits like Win32/Rovnix is offered for sale on underground market. For instance, Win32/Carberp, very dangerous banking trojan the most widely spread and in Russia, CIS and some European countries, was upgraded in 2011 and started using Rovnix bootkit components. “It may be that what we are seeing now is a new mass-testing bootkit and in the future this code may be re-used in another malware family”, says David Harley.
ESET researchers predict the significant increasing of new malicious codes targeting 64-bit operation systems in 2012, till now the most dangerous rootkits and bootkits have been targeting mainly 32-bit platforms, though.
“The year 2011 could be referred to as a year of growth in complex threats. Over the course of this year we witnessed an increase in the number of threats targeting the Microsoft Windows 64-bit platform, and bootkits in particular”, says David Harley.
Versions of Microsoft Windows 64-bits were considered resistant against kernel mode rootkits because integrity checks performed by the system code. However, new malware targeting 64-bit Windows (Win64/Olmarik and Win64/Rovnix) was detected last year in the wild. These examples of malware use various methods to bypass kernel-mode code signing policy.
The approach used by rootkits and bootkits allows malware to keep its payload and configuration data secret where antivirus and security software is less likely to find it, what makes these malware a powerful weapon in the hands of cybercriminals.
|
|
| |
|
|
|
|
| |
|
|
| |
|
| |
| |
| |
|
|
 |
 |
 |
 |
|
|
|
|
|
|
|
|
|
|
|
SUBSCRIBE TO EFYTIMES
Receive the latest reviews, how-tos, news & more.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Daily App Review: Klik For iPhone |
| Among all the gadgetry on display in Mission Impossible IV, perhaps the most striking was an iPhone app that could identify people who appeared on the... |
|
|
|
|
|
|
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|