Archived Blog

Robot Dog: Recovery Software Penetrating Virus

09.12.2008 - 5:33 PM

In the past few months, a virus called "Robot Dog" has been raging across networks in China. The primary purpose of the virus is to infect computers in Internet cafes. In China, most Internet cafes use recovery software to help protect computers from viruses. "Robot Dog" penetrates the recovery software to help achieve the goal of infecting the computer. Over several generations the virus has evolved its attack against Antivirus and recovery software.

Websense Security Labs analyzed a recent version of the virus.

In this version, the first thing the virus does is drop a file on the system and register it as a service. It then kills some Antivirus software that is popular in China, like "360safe" and "Rising", by terminating their processes.

Here is a sample of the code:

Next, the virus infects explorer.exe. It does this by discovering the physical location of explorer.exe on the hard disk and then loading the first 512 bytes. It loads the bytes by calling API CreateFile and ReadFile. We compared the first 512 bytes using two different methods, and we suspect that the virus uses the code to detect some monitored software. Next, the virus injects a piece of code into explorer.exe and modifies the first "call function" to run the injected code. In the meantime, the virus injects the explore.exe process with the same code. The function of the code is to download viruses from a website and execute them.

Here is the download list. We believe most of the URLs are malicious.

After we looked at the virus, we analyzed the file that was dropped and registered as a service.

Because most computers in Chinese Internet cafes use recovery software, the virus must take an action to disable that software. That's the purpose of the dropped file. In it we see that the virus uses several strategies to destroy the recovery software, such as:

  1. Deleting the first filter device on harddisk0.
  2. Setting the device\atapi to respond to only five special requests.
  3. Recovering the SSDT table to make the realtime monitor function of Antivirus software ineffective.

Here is a sample of the recover SSDT code:

Finally, the virus uses some special tactics on certain popular recovery software, like "360safebox" and "icafe".

Here is a sample of the code aimed at special recovery software:

"Robot Dog" has done a large amount of damage to the Internet cafe industry in China. Until recently, Antivirus and recovery software was somewhat successful in keeping the virus from spreading.

Websense will continue to monitor this threat.

Security Researcher: Ulysses Wang

Bookmark This Post: