The evolution of Rovnix: Private TCP/IP stacks


We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack.  It seems this is becoming a new trend for this type of malware.

The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes.

It works like this:

  1. At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: 
     
  • NdisMRegisterMiniportDriver()  (for NDIS 6.0)
  • NdisMRegisterMiniport()  (for NDIS 5.1)
     
  • When the network adapter driver calls NdisMRegisterMiniportDriver()/ NdisMRegisterMiniport() to  register to NDIS, the hooked function registers Rovnix’s own miniport handler functions.
  • With Rovnix’s own miniport handler functions, the malware is able to send/receive the packets through this private TCP/IP stack (see Figure 1).
  • The Rovnix private TCP/IP stack

    Figure 1: The private TCP/IP stack

    The stack is introduced for stealth purposes:

    • It bypasses the rest of NDIS library code so it can bypass the personal firewall hooks
    • The port used by private TCP/IP stack cannot normally be accessed (such as “nbtstat” command)

    Basically, this means Rovnix has introduced new stealth in its network communication.

    Traditional methods of analysis, for example running network traffic monitoring software, may not be able to see the packets that are sent or received via a private TCP/IP stack.

    However, the compromised machine will contact the domain youtubeflashserver.com. If a network administrator notices traffic sent to this domain, then most likely there are machines infected.

    With our latest signature update, we detect the Rovnix dropper as TrojanDropper:Win32/Rovnix.I. Windows Defender Offline (WDO) also detects the infected volume boot record as Trojan:DOS/Rovnix.F.

    Sample: SHA1: a9fd55b88636f0a66748c205b0a3918aec6a1a20

    Chun Feng
    MMPC



    Comments (9)

    1. alan says:

      Hello.

    2. Didier Stevens says:

      I took a trace of this sample. HTTP requests are made with this User Agent String: FWVersionTestAgent

    3. Paul Szabo says:

      Is the domain youtubeflashserver.com hard-coded?

      Should be easy to "kill" the domain… is it still alive,

      what is the IP address?

    4. Chun Feng says:

      The domain "youtubeflashserver.com" is hard coded in the injected module. In the new variant, this domain may change.

    5. interesting says:

      i am using toolwiz time freeze, it can prevent this virus.

    6. k4psula says:

      very interesting, thanks.

    7. Baneki Privacy Labs says:

      Would you be so kind as to share the name of the opensource stack project, mentioned in the article? We've not heard of such a project previously; it sounds interesting.

      ~ Baneki Privacy Labs | @baneki

    8. Stewart Henderson says:

      Likewise on the open-source stack?  I haven't heard of this one before.

    9. Nokul Panigrahi says:

      Windows Security Essentials cannot clean this. WSE suggests to use Windows Defender Offline. Initially WDO seemed to clean, but when it was run again, the viru Rovnix.T or /G seemed to reappear. Now the problem seems to have exacerbated to the degree that,
      I think, it triggers Error 0xc00000e9: about I/O error about a unplugged USB or a faulty CD drive. I think the Error and the virus/malware Rovnix are related. I feel this a new way the malware is preventing starting of any cleaning process.

    Skip to main content