'I can't go back to yesterday, because I was a different person then'

Chun Feng Microsoft

  download slides (PDF)

System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back to a pre-preserved 'good' state after being affected by malware or other threats to system integrity. As these restore facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches into the depths of the affected machine and targets the file system driver.

In early 2008, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware, named Win32/Dogrobot is designed deliberately to penetrate a 'hard disk recovery card', hardware widely used by Internet cafés in China. Surprisingly, Dogrobot has caused more than 8 billion RMB (around 1.2 billion USD) in losses to Internet cafés in China. (This cost is far beyond that created by the notorious virus Win32/Viking).

This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate System Restore on Windows systems, covering penetration from the Windows volume management layer used by early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely examines Dogrobot's propagation methods, including the use of a zero-day exploit and ARP spoofing.

What is the significance of Dogrobot's selection of Internet cafés as its chosen targets? And what is the final goal of this malware? This paper answers these questions and elaborates on the clandestine relationship between Dogrobot and the black market for online games passwords.