Trojan hides in Windows recovery
According to a report by Microsoft virus specialist Chun Feng at the Virus Bulletin malware conference in Geneva, criminals spying out users' online gaming login data in Chinese internet cafes and subsequently selling this information are said to have caused 1.2 billion US dollars in damage. The criminals use the Dogrobot trojan, which hides in the system and can even survive a Windows system recovery.
According to Chun Feng, the malware exploits a back door in the Windows system recovery and a vulnerability in the "Hard Disk Recovery Cards" that are part of many PCs in Chinese internet cafes. The cards are designed to prevent hard disk write access to avoid problems such as virus infections, and allow a system to be recovered after a problem. Excelstor's GStor-Plus offers a similar feature, but so far in Europe this type of system has not gained much acceptance.
It is now said to be the fifth incarnation of Dogrobot, which uses various root kit techniques, that is in circulation. While the first variant only compromised the Windows Volume Management Layer, the latest version reportedly hooks into the Windows IDE/ATAPI Port Driver Layer to hide there. Chun Feng didn't provide any further details, and his latest presentation in not yet available to download. The specialist already pointed out that Dogrobot can handle Hard Disk Recovery Cards at the Virus Bulletin 2008 conference.
Dogrobot is injected into PCs using vulnerabilities such as browser holes. It also uses ARP cache poisoning attacks to redirect other Windows PCs in a local network to specially crafted web pages and infect them this way. The trojan also spreads via USB flash drives.