Rovnix Downloader Updated with SinkHole and Time Checks

McAfee Labs has found that the latest Rovnix downloader now comes with the capability to check for the sinkholing of its control servers. This relatively new technique makes it difficult to detect the malware—especially on behavior-based malware detection systems. The malware checks for sinkholing of its control servers before each network communication session and does not initiate its malicious activities—such as downloading and running the malicious payload(s)—if it thinks the Domain Name Service (DNS) records have been sinkholed. The downloader also uses an uncommon technique to perform a timing check to decide whether it should perform its malicious activities.


About Rovnix

Rovnix is a malware family that has been around since 2011. It hijacks the boot sector by infecting the VBR and NT LDR to persist on the target system. Its malicious capabilities include:

  • Stealing banking information from victims by infecting browser processes.
  • Stealing other passwords from the victim’s system.
  • Stealing Bitcoins from the target’s wallets.

The Rovnix malware family is modular in nature. It can:

  • Update its control servers after it has infected the target system.
  • Download new plug-ins, giving it the ability to carry out new malicious activities in the future.
  • Infect both 32- and 64-bit systems with corresponding DLLs and bootkit infection drivers and code.



DNS translates domain names such as to IP addresses that can be used by networking applications such as browsers to send and receive content from a web server. For applications that use domain names, DNS requests are the first step in establishing communication with web-based servers. Any malicious application that uses a domain name for its control servers needs to contact a DNS server to translate the domain name into a valid IP address for the servers.

Sinkholing intercepts the DNS request by the malware for a control server and responds with a spoofed address instead of the valid server IP. This disrupts the communication of the malware with its control server and has several advantages. The malware can no longer:

  • Download commands to execute on the target system.
  • Download new modules or malware to execute on the target system.
  • Exfiltrate stolen data from the target system.
  • Provide its status to the control server (in the case of botnets).
  • Send system statistics to the control server (such as system type, antimalware installed, etc.).
  • Download encryption keys from the control server, thus preventing the target’s files from being encrypted (in the case of ransomware).

Sinkholing has been used to disrupt a wide variety of malware campaigns including Trojans, botnets, ransomware, and other threats.


Sinkhole Detection Technique 

In a simple yet effective technique, the malware fetches the DNS name server records for the control server it attempts to contact.

DNSQuery call to fetch DNS name servers.

The name server value(s) are then checked against a list of keywords that might indicate that the DNS name server records for the control server have been sinkholed. The malware checks for the following keywords in the DNS name server record values:

  • control
  • sink
  • hole
  • dynadot
  • block
  • trojan
  • abuse
  • virus
  • malw
  • hack
  • black
  • spam
  • anti
  • googl

String comparisons against DNS name server values.

Once the DNS name servers pass the sinkhole checks, the malware downloads various modules to steal information from the victim’s machine.

Domains Contacted

All of the domains that follow are control servers used to download malicious plug-ins/modules. The malware starts by contacting the first server listed. If it cannot contact the first server, it tries contacting the next server listed, and so on.

The domains listed are for MD5: 7ce075e3063782f710d47c77ddfa1261

  • the first control server for communication and downloading additional plugins.
  • a backup server. The domain has a history of switching IP addresses.
  • a backup server. The domain also has a history of switching IP addresses.
  • itnhi4vg6cktylw2.onion: the last server. If none of the other control servers can be contacted, then the malware establishes a connection with this onion address.

Additional control domains seen in other Rovnix downloaders:

  • pg7iuaqu5b7fq36o.onion
  • j7t4lg23tdhag3fn.onion
  • c2bbagrsvbs2v6a7.onion
  • hbs63zj7mwj5g6w7.onion


IP Addresses Hosting the Domains

Multiple domains in the control server list share the same IP address, indicating that the malicious actor has control of the IPs hosting the domains. For example, the following domains share the same IP:

  • and
  •, and
  • and
  •, and
  • and


Timing Checks

The malware also does a time check using standard Network Time Protocol (NTP) servers to decide whether to proceed with its malicious activities. The check compares the times received from the control server and public time servers. If the time elapsed exceeds a certain threshold, the malware sleeps for a period before checking the times again. The time stamp might be fetched from the public NTP servers because many malware analysis systems can spoof local system time to trick the malware into running its malicious code.



The downloaders have primarily been encountered in the United States, Canada, Japan, and parts of Europe.

The following map shows a geographic distribution of the Rovnix downloader:


Geographic distribution of the Rovnix downloader infections.



The newest downloader for Rovnix introduces a new method to detect DNS sinkholing. This technique allows the malware to protect itself by not executing its malicious code if the control server has been sinkholed. Multiple server domains hosted on a single IP also indicate that one attacker might have control of these servers.

The usage of public NTP servers to check the time is a relatively new capability. This technique combats spoofing of local system time used by many dynamic malware detection systems.


MD5 Sums



Yara Rule

The following Yara rule can be used to find samples of the Rovnix downloader:

rule rovnix_downloader
description=”Rovnix downloader with sinkhole checks”

$sink2 = “sink”
$sink3 = “hole”
$sink4= “dynadot”
$sink5= “block”
$sink6= “malw”
$sink7= “anti”
$sink8= “googl”
$sink9= “hack”
$sink10= “trojan”
$sink11= “abuse”
$sink12= “virus”
$sink13= “black”
$sink14= “spam”
$boot= “BOOTKIT_DLL.dll”
$mz = { 4D 5A }

$mz in (0..2) and all of ($sink*) and $boot




Thanks to Christiaan Beek, Jonathan Chang, and Sanchit Karve for contributing to this post.


Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top