Hi malware fighters,
Chinese cybercrime gangs hijack the system restore function in Windows on a grand scale to infect computers in Internet cafe’s permanently and so steal hundred of million of dollars’ worth of data. In China lots of people do not own a computer and therefore use the machines of a local Internet cafe. With every new login the system is restored and cleansed. Dogrobot malware enables attackers to survive this fresh reboot and eventually steal online gamers login data.
According to Microsoft Dogrobot has already created 1,2 billion dollar of damage in Chinese Internet cafe’s
: http://blogs.zdnet.com/security/?p=4423
Until now five generations of the malware has appeared, consisting of a collection of zero-day leaks, rootkits and ARP spoofing techniques to infect systems and steal data. Dogrobot uses disk-level I/O file manipulation to penetrate Windows system restore function, but the second generation uses a “backdoor” already present in System Restore, according to Microsoft’s anti-virus researcher Chun Feng. More info on this existing backdoor in XP see: http://forum.emsisoft.com/default.aspx?g=posts&t=2787
The third generation had unhooking code to circumvent security program protection and removal, according to Feng at the VirusBulletin conference at Geneva.
USB-stick/pendrive
To be able to play online Chinese carry their log-on data around on a USB-stick. This is also being abused by Dogrobot by spreading via the AutoRun functionality. The malcode is so successful because it uses a variety of ActiveX, Windows, RealPlayer and WebThunder exploits. Moreover it uses ARP cache poisoning, sending malicious ARP parcels to the local network to have other machines also download and install Dogrobot malware. analysis: http://vil.nai.com/vil/content/v_207561.htm
polonus
P.S. avast detects the malware as Win32.Dogrobot