Research paper: I can't go back to yesterday, because I was a different person then.

Research paper on malware that subverts hardware-based system restore utilities - originally presented at VB 2009
  • Note:There are multiple files available for this download.Once you click on the "Download" button, you will be prompted to select the files you need.


    File Name:



    Date Published:


    File Size:

    681 KB

    1.2 MB

      ABSTRACT System Restore hardware and software have been widely implemented, and are commonly used by computer users to revert back to a pre-preserved ‘good’ state after being affected by malware or other threats to system integrity. As these restore facilities have become commonplace, so too has the malware that attempts to penetrate them. This type of malware reaches into the depths of the affected machine and targets the file system driver.

      In late 2007, a mysterious new breed of malware appeared in China and has been evolving quickly since. This malware, named Win32/Dogrobot, is designed deliberately to penetrate a ‘hard disk recovery card’ – hardware widely used by Internet cafés in China. Surprisingly, Dogrobot has caused more than eight billion RMB (around 1.2 billion USD) in losses to Internet cafés in China. (This cost far exceeds that caused by the notorious Win32/Viking virus.)

      This paper tracks the five generations of Dogrobot and presents the novel rootkit technique used by Dogrobot to penetrate System Restore on Windows systems, covering penetration from the Windows volume management layer used by early variants, to the Windows IDE/ATAPI Port Driver layer used by the latest variants. This paper also closely examines Dogrobot’s propagation methods, including the use of zero-day exploits and ARP spoofing.

      What is the significance of Dogrobot’s selection of Internet cafés as its chosen targets? And what is the final goal of this malware? This paper answers these questions and elaborates on the clandestine relationship between Dogrobot and the black market for online games passwords.

      Author: Chun Feng
  • Supported Operating System

    Windows 2000, Windows 7, Windows 95, Windows 98, Windows CE, Windows NT, Windows Vista, Windows Web Server 2008 R2

      • XPS Reader or Adobe Acrobat reader
    • Download the research paper in the file format of your choice. It is available as an XPS or PDF. In order to view the XPS document, you will need to install the reader (included in Windows Vista) or to view the PDF document, you will need to install Adobe Acrobat reader.
Site feedback

What category would you like to give web site feedback on?

Rate your level of satisfaction with this web page today: