Friday, May 15, 2015

Rovnix Dropper Analysis (TrojanDropper:Win32/Rovnix.P)

The Win32/Rovnix family is known for its usage of a VBR based Bootkit in order to load itself before the Windows operating system starts to run.

In this post i am going to analyze a recent Rovnix dropper that is able to install its Bootkit component on a x86 and x86-64 Windows OS, the dropper contains at-least two previously known exploits in order to elevate its privileges on the system in case it doesn't have enough permissions to access the VBR.

This post will cover:

  • Environment info - Which information is sent by the dropper to the C&C server and where in the registry the dropper writes its configuration.
  • Anti-Analysis - The technique used by the dropper and the driver in order the detect sandboxes and to prevent the launching of analysis tools.
  • Bootkit installation preparations - Which steps the dropper takes in order to make sure it will be able to install the Bootkit component.
  • Payload - How the actual payload is installed in the system.
  • Code and Module storage - How and where the dropper stores the files and shellcode that it uses throughout the installation process.