We recently discovered a new breed of the bootkit Ronvix that introduces a private TCP/IP stack. It seems this is becoming a new trend for this type of malware.
The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes.
It works like this:
- At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory:
- NdisMRegisterMiniportDriver() (for NDIS 6.0)
- NdisMRegisterMiniport() (for NDIS 5.1)
Figure 1: The private TCP/IP stack
The stack is introduced for stealth purposes:
- It bypasses the rest of NDIS library code so it can bypass the personal firewall hooks
- The port used by private TCP/IP stack cannot normally be accessed (such as “nbtstat” command)
Basically, this means Rovnix has introduced new stealth in its network communication.
Traditional methods of analysis, for example running network traffic monitoring software, may not be able to see the packets that are sent or received via a private TCP/IP stack.
However, the compromised machine will contact the domain youtubeflashserver.com. If a network administrator notices traffic sent to this domain, then most likely there are machines infected.
With our latest signature update, we detect the Rovnix dropper as TrojanDropper:Win32/Rovnix.I. Windows Defender Offline (WDO) also detects the infected volume boot record as Trojan:DOS/Rovnix.F.
Sample: SHA1: a9fd55b88636f0a66748c205b0a3918aec6a1a20
Chun Feng
MMPC