Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack. It seems this is becoming a new trend for this type of malware.
The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes.
It works like this:
Figure 1: The private TCP/IP stack
The stack is introduced for stealth purposes:
Basically, this means Rovnix has introduced new stealth in its network communication.
Traditional methods of analysis, for example running network traffic monitoring software, may not be able to see the packets that are sent or received via a private TCP/IP stack.
However, the compromised machine will contact the domain youtubeflashserver.com. If a network administrator notices traffic sent to this domain, then most likely there are machines infected.
With our latest signature update, we detect the Rovnix dropper as TrojanDropper:Win32/Rovnix.I. Windows Defender Offline (WDO) also detects the infected volume boot record as Trojan:DOS/Rovnix.F.
Sample: SHA1: a9fd55b88636f0a66748c205b0a3918aec6a1a20