Read the article again, BroBear. And, 'bear' in mind that the author
has NOT analyzed any newer generations than what existed in *August 2008*.
A check of the MS Malware Protection's encyclopedia shows plenty more
variants of Dogrobot that have appeared since then:
http://www.microsoft.com/security/p...rue&CBF=True&sortby=date&sortdir=desc&size=10
" Fifth generation
The ï¬fth generation of Dogrobot was noticed in the wild in
August 2008. In this generation, Dogrobot uses a new
technique, PASS_THROUGH, in order to penetrate through
System Restore. Windows OS provides three I/O control
codes: IOCTL_SCSI_PASS_THROUGH (0x4D004),
IOCTL_ATA_PASS_THROUGH (0x4D02C) and IOCTL_
IDE_PASS_THROUGH (0x4D028), and user-mode
applications can send IRP with these I/O control codes via
DeviceIoControl( ) to the disk.sys driver. These IRPs will be
forwarded directly down to the lower driver (e.g. atapi.sys) in
order to perform disk read/write or other disk operations [10].
Some System Restore solutions don’t intercept the read/write
access via PASS_THROUGH and this is exploited by the ï¬ fth
generation to compromise System Restore. The disassembly
of the code used by Dogrobot to write to disk via IOCTL_
ATA_PASS_THROUGH is depicted in Figure 11. "
Does atapi.sys ring a bell ? Remember the TDSS rookit ?
MowGreen
================
*-343-* FDNY
Never Forgotten
================
banthecheck.com
"Security updates should *never* have *non-security content* prechecked