SCF Advanced Search

  • Total Posts: 41455
  • Total Topics: 14957
  • Online Today: 512
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Rovnix Downloader Updated with SinkHole and Time Checks  (Read 2405 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Rovnix Downloader Updated with SinkHole and Time Checks
« on: 16. February 2016., 13:15:21 »
Rovnix Downloader Updated with SinkHole and Time Checks

McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers. This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems. The malware checks for sinkholing of its control servers before each network communication session and does not initiate its malicious activities—such as downloading and running the malicious payload(s)—if it thinks the Domain Name Service (DNS) records have been sinkholed. The downloader also uses an uncommon technique to perform a timing check to decide whether it should perform its malicious activities.

About Rovnix

Rovnix is a malware family that has been around since 2011. It hijacks the boot sector by infecting the VBR and NT LDR to persist on the target system. Its malicious capabilities include:

• Stealing banking information from victims by infecting browser processes.

• Stealing other passwords from the victim’s system.

• Stealing Bitcoins from the target’s wallets.

The Rovnix malware family is modular in nature. It can:

• Update its control servers after it has infected the target system.

• Download new plug-ins, giving it the ability to carry out new malicious activities in the future.

• Infect both 32- and 64-bit systems with corresponding DLLs and bootkit infection drivers and code.



DNS translates domain names such as to IP addresses that can be used by networking applications such as browsers to send and receive content from a web server. For applications that use domain names, DNS requests are the first step in establishing communication with web-based servers. Any malicious application that uses a domain name for its control servers needs to contact a DNS server to translate the domain name into a valid IP address for the servers.

Sinkholing intercepts the DNS request by the malware for a control server and responds with a spoofed address instead of the valid server IP. This disrupts the communication of the malware with its control server and has several advantages. The malware can no longer:

• Download commands to execute on the target system.

• Download new modules or malware to execute on the target system.

• Exfiltrate stolen data from the target system.

• Provide its status to the control server (in the case of botnets).

• Send system statistics to the control server (such as system type, antimalware installed, etc.).

• Download encryption keys from the control server, thus preventing the target’s files from being encrypted (in the case of ransomware).

Sinkholing has been used to disrupt a wide variety of malware campaigns including Trojans, botnets, ransomware, and other threats.


Sinkhole Detection Technique

In a simple yet effective technique, the malware fetches the DNS name server records for the control server it attempts to contact.

DNSQuery call to fetch DNS name servers.

The name server value(s) are then checked against a list of keywords that might indicate that the DNS name server records for the control server have been sinkholed. The malware checks for the following keywords in the DNS name server record values:

• control

• sink

• hole

• dynadot

• block

• trojan

• abuse

• virus

• malw

• hack

• black

• spam

• anti

• googl

String comparisons against DNS name server values.

Once the DNS name servers pass the sinkhole checks, the malware downloads various modules to steal information from the victim’s machine.

Domains Contacted

All of the domains that follow are control servers used to download malicious plug-ins/modules. The malware starts by contacting the first server listed. If it cannot contact the first server, it tries contacting the next server listed, and so on.

The domains listed are for MD5: 7ce075e3063782f710d47c77ddfa1261

• the first control server for communication and downloading additional plugins.

• a backup server. The domain has a history of switching IP addresses.

• a backup server. The domain also has a history of switching IP addresses.

• itnhi4vg6cktylw2.onion: the last server. If none of the other control servers can be contacted, then the malware establishes a connection with this onion address.

Additional control domains seen in other Rovnix downloaders:








• pg7iuaqu5b7fq36o.onion

• j7t4lg23tdhag3fn.onion

• c2bbagrsvbs2v6a7.onion

• hbs63zj7mwj5g6w7.onion


IP Addresses Hosting the Domains

Multiple domains in the control server list share the same IP address, indicating that the malicious actor has control of the IPs hosting the domains. For example, the following domains share the same IP:

• and

•, and

• and

•, and

• and


Timing Checks

The malware also does a time check using standard Network Time Protocol (NTP) servers to decide whether to proceed with its malicious activities. The check compares the times received from the control server and public time servers. If the time elapsed exceeds a certain threshold, the malware sleeps for a period before checking the times again. The time stamp might be fetched from the public NTP servers because many malware analysis systems can spoof local system time to trick the malware into running its malicious code.



The downloaders have primarily been encountered in the United States, Canada, Japan, and parts of Europe.

The following map shows a geographic distribution of the Rovnix downloader:

Geographic distribution of the Rovnix downloader infections.


The newest downloader for Rovnix introduces a new method to detect DNS sinkholing. This technique allows the malware to protect itself by not executing its malicious code if the control server has been sinkholed. Multiple server domains hosted on a single IP also indicate that one attacker might have control of these servers.

The usage of public NTP servers to check the time is a relatively new capability. This technique combats spoofing of local system time used by many dynamic malware detection systems.


MD5 Sums



Yara Rule

The following Yara rule can be used to find samples of the Rovnix downloader:

rule rovnix_downloader
 author=”Intel Security”
description=”Rovnix downloader with sinkhole checks”

$sink2 = “sink”
$sink3 = “hole”
$sink4= “dynadot”
$sink5= “block”
$sink6= “malw”
$sink7= “anti”
$sink8= “googl”
$sink9= “hack”
$sink10= “trojan”
$sink11= “abuse”
$sink12= “virus”
$sink13= “black”
$sink14= “spam”
$boot= “BOOTKIT_DLL.dll”
$mz = { 4D 5A }

 $mz in (0..2) and all of ($sink*) and $boot




Thanks to Christiaan Beek, Jonathan Chang, and Sanchit Karve for contributing to this post.

Original article:
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

Rovnix Downloader Updated with SinkHole and Time Checks
« on: 16. February 2016., 13:15:21 »


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising