Chris Mannon: March 2008 Archives

RoBoDog...a New Trick

| | Comments (0)

There are several techniques used by malware coders to infiltrate a seemingly secure network. I recently saw an interesting new way for attackers to potentially cause massive amounts of damage to networked computers. It begins like most of these attacks begin?One person downloading something they shouldn?t.

The person responsible for the infection will not likely know that they are infected. After downloading an executable from a Chinese site (in the case of the example I will be using in this blog) and subsequently running said executable, it is deleted from the system. Before it is deleted it drops several files in the system32 directory as well as a rootkit in the temp directory of the infected PC.

These files are responsible for sending ARP requests across the network in order to map the infected LAN.

The dat file is used to store the phone home URLs this infection tries to call to on this and any other machine it can infect.

As you can see here, the infection monitors the download status of the malware files. In order to get away with this level of treachery, the attacker has a rootkit and a bot installed in a temp directory.

This rootkit creates a service called PciHardDisk. This is probably to discourage any curious parties from deleting it.

The innocent looking robopup executable directly above the rootkit is actually ran whenever certain processes attempt to run. The attacker accomplishes this through a very unique way that is likely to be used more frequently in the future. Within the Windows API, there is a place in the registry called the Image File Execution Options. The purpose of this location is legitimate, but also has malicious applications. It is possible to add a filename (for example: notepad.exe) in this area in the registry, set it as a debugger to another application (for example: bad.exe). If this happens, then every time the user attempts to run notepad.exe, the OS will run bad.exe instead.

The attacker manipulates the registry so that a select group of processes will run the robopup executable previously seen in the temp directory.

Network administrators should watch their server logs for any kind of unauthorized activity trying to look for directories to browse. It should appear to look something like this:

translate: f
User-Agent: Microsoft-WebDAV-MiniRedir/5.1.2600

Facetime Security Labs detects this threat as RoBoDog.

About this Archive

This page is a archive of recent entries written by Chris Mannon in March 2008.

Chris Mannon: November 2007 is the previous archive.

Chris Mannon: May 2008 is the next archive.

Find recent content on the main index or look in the archives to find all content.