Rovnix Reloaded: new step of evolution

(Publication) Google search: [1]

Rovnix Reloaded: new step of evolution
Botnet	Carberp
Malware	Rovnix, Carberp_(bot), TDL3, TDL3+, TDL4, Olmasco, ZeroAccess
Botnet/malware group
Exploit kits	Blackhole
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date	2012 / February 22, 2012
Editor/Conference	ESET
Link	http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution blog.eset.com (blog.eset.com Archive copy)
Author	David Harley, Aleksandr Matrosov, Eugene Rodionov
Type

Abstract

“ In the beginning of February we found a new modification of our “old friend” Win32/Rovnix (the dropper detected as Win32/Rovnix.B trojan), which is the first bootkit using VBR (Volume Boot Record) infection. An interesting fact is that Rovnix bootkit components were used in Win32/Carberp, the most widely spread banking trojan in Russia. You can get more information about modern Carberp evolution facts in our forthcoming presentation “Carberp Evolution and BlackHole: Investigation Beyond the Event Horizon” at CARO 2012.

And now we are seeing a new step of evolution for the Rovnix bootkit family.

We can see interesting tracking strings in the unpacked dropper:

The version has been changed to 2.1, but we’ve seen the same strings before in the Win32/Carberp dropper with bootkit, allowing us to draw some conclusions:

In the Win32/Carberp dropper we’ve seen version number 2.1 among debugging strings but in the latest samples version 2.5 is used.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR900,
   editor = {ESET},
   author = {David Harley, Aleksandr Matrosov, Eugene Rodionov},
   title = {Rovnix Reloaded: new step of evolution},
   date = {22},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/02/22/rovnix-reloaded-new-step-of-evolution blog.eset.com}},
 }