Hackers Exploit Windows System Restore Functionality to Make Money

According to security experts, cyber criminals in China are targeting hard disk recovery cards on systems in cyber cafes to make illicit money. They are employing a combination of zero day vulnerabilities, Address Resolution Protocol (ARP) and rootkits spoofing techniques to plunder online games credentials worth billion of dollars.

Chun Feng, anti-virus researcher at Microsoft, states that five variants of the Win32/Dogrobot malware family have made rootkit techniques novel to hack Windows System Restore functionality, as reported by zdnet on September 23, 2009.

This technique is employed to install Dogrobot virus on computers, offering a great advantage to hackers. In fact, this virus infiltrates the restore functionality of Window Systems and allows malicious files or codes to survive even after cleaning off infected systems.

Moreover, hackers use ARP cache poisoning technique to send malicious ARP packets. These ARP packets give instructions to other machines linked within the same LAN to install Dogrobot variants.

Security experts state that this malware is a highly advanced delivery system for Dogrobot virus that has been modified to escape security software undetected and remain hidden in infected systems. In addition to its strength against removal, this technique of malware makes it exceptionally suited for stealing virtual identities used to play games like World of Warcraft and EverQuest.

Describing more of the virus, security experts have clarified that Dogrobot is a pest wildly hovering on the Network and has already reached the fifth generation. It also uses appropriate rootkit techniques for propagation. Although the first variant of the virus only tampered Windows Volume Management subsystem layer, its latest edition has sneaked into the Windows IDE / ATAPI Port Driver Layer to conceal itself.

Earlier, Dogrobot penetrated the System Restore functionally by manipulating disk-level I/O file but it has now started using "backdoor" existing in the System Restore functionality. Third edition of the virus used extensive unhooking code to defeat the protection given by security programs and avoid removal.

Finally, online game lovers in China have made cyber cafes their playing grounds where they use USB sticks and account credentials openly. Dogrobot exploits the USB AutoRun functionality on older computers to propagate.

Related article: Hackers Redirect Windows Live Search to Malicious Sites

» SPAMfighter News - 10/13/2009