We recently discovered a new breed of the bootkit Rovnix that introduces a private TCP/IP stack.  It seems this is becoming a new trend for this type of malware.

The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes.

It works like this:

  1. At boot time, Rovnix hooks the following exported APIs in ndis.sys by patching the export table in memory: 
     
    • NdisMRegisterMiniportDriver()  (for NDIS 6.0)
    • NdisMRegisterMiniport()  (for NDIS 5.1)
       
  2. When the network adapter driver calls NdisMRegisterMiniportDriver()/ NdisMRegisterMiniport() to  register to NDIS, the hooked function registers Rovnix’s own miniport handler functions.
  3. With Rovnix’s own miniport handler functions, the malware is able to send/receive the packets through this private TCP/IP stack (see Figure 1).

The Rovnix private TCP/IP stack

Figure 1: The private TCP/IP stack

The stack is introduced for stealth purposes:

  • It bypasses the rest of NDIS library code so it can bypass the personal firewall hooks
  • The port used by private TCP/IP stack cannot normally be accessed (such as “nbtstat” command)

Basically, this means Rovnix has introduced new stealth in its network communication.

Traditional methods of analysis, for example running network traffic monitoring software, may not be able to see the packets that are sent or received via a private TCP/IP stack.

However, the compromised machine will contact the domain youtubeflashserver.com. If a network administrator notices traffic sent to this domain, then most likely there are machines infected.

With our latest signature update, we detect the Rovnix dropper as TrojanDropper:Win32/Rovnix.I. Windows Defender Offline (WDO) also detects the infected volume boot record as Trojan:DOS/Rovnix.F.

Sample: SHA1: a9fd55b88636f0a66748c205b0a3918aec6a1a20

Chun Feng
MMPC