'I can't go back to yesterday, because I was a different person then'

Chun Feng Microsoft

  download slides (PDF)

System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back to a pre-preserved 'good' state after being affected by malware or other threats to system integrity. As these restore facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches into the depths of the affected machine and targets the file system driver.

In early 2008, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware, named Win32/Dogrobot is designed deliberately to penetrate a 'hard disk recovery card', hardware widely used by Internet cafés in China. Surprisingly, Dogrobot has caused more than 8 billion RMB (around 1.2 billion USD) in losses to Internet cafés in China. (This cost is far beyond that created by the notorious virus Win32/Viking).

This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate System Restore on Windows systems, covering penetration from the Windows volume management layer used by early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely examines Dogrobot's propagation methods, including the use of a zero-day exploit and ARP spoofing.

What is the significance of Dogrobot's selection of Internet cafés as its chosen targets? And what is the final goal of this malware? This paper answers these questions and elaborates on the clandestine relationship between Dogrobot and the black market for online games passwords.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.