Microsoft"s malware protection team is always on the lookout for new threats against PCs. This week, the team posted up word that it has found a new version of the bootkit Ronvix out in the wild that will spell trouble for those PC systems that encounter it.
In a blog post, Microsoft goes into some detail about the new Ronvix bootkit. It states, "The implementation of the private stack is based on an open-source TCP/IP project and it can be accessed from both kernel and user modes." The diagram of the private stack is shown above. The bootkit is made to bypass the personal firewall hooks and could allow for downloads of more malware into a PC or its network.
Microsoft says that using network traffic monitoring software may not be able to detect the packets that are from this private TCP/IP stack. However, there is a much easier way to find out if the Ronvix bootkit has managed to find its way to a computer. Microsoft says that any infected PC will have the "youtubeflashserver.com" domain. The blog states, "If a network administrator notices traffic sent to this domain, then most likely there are machines infected."
Source: Microsoft | Image via Microsoft