Early 2012 ESET company a mysterious malware, dubbed the Avatar rootkit (Win32/Rootkit.Avatar), advertised in the underground forums by Russian cyber crime.
"We present you here previously announced product. In connection with work on other projects, we moved the release date for the public from May to February 2013th 2012go.Now nuclear rootkit AVATAR is available for rental."
Despite the malware was described months ago it was not found and published until now, in March ESET researchers detected two droppers with different C&C servers and having different compilation time stamps as showed in the following pictures:
The Avatar rootkit appears very sophisticated, it uses two different infection techniques, the first in the dropper so as to bypass detections by HIPS, and the second one in the rootkit driver to allow the malware to be alive after system reboot, the instance detected works only on x86 systems.
The 2 level dropper for Avatar rootkit works in conjunction, the first one implements LZMA decompression for the second level dropper. Driver module and second level dropper are unique in every instance of malware thanks to a random names generator names for mutexes/events in the first level dropper.
To the second level dropper is assigned the function of escalate privilege on target system, the dropper uses two different techniques, the exploitation of the MS11-080 vulnerability with code as a public exploit from Metasploit Framework with minor changes, and COM Elevation (UAC whitelist).
The following a diagram that shows the process implemented by dropper:
Most interesting part of the exploit code of Avatar rootkit is the steps taken after exploitation, kernel-mode shellcode is in fact executed to load malicious driver, the rootkit driver is not stored on the hard drive and loads only from a memory region.
The Avatar rootkit implements a technique for loading the driver by system driver infection that appeared very effective for bypassing victim's defense, and allows the loads other kernel-mode modules exploiting the malicious system driver.
The post reports:
"In order to perform its infection, Avatar randomly chooses a driver and checks its name against a blacklist that varies for every Windows versions." "The Avatar rootkit driver is able to infect several system drivers without changing the original driver's file size."
Once loaded the Avatar rootkit driver, the malicious code executes an algorithm for infecting system drivers so as to survive after reboot, the malware is also able to detect the presence of a virtual machine environment thanks to a sophisticated technique that query BIOS to check for some specific strings related to principal machines available on the market such as VirtualBox and VMware.
The malware uses a hidden file system to store the user-mode payload module and also additional files, all the data are encrypted using a custom symmetric cipher. The hidden file storage is also used by Avatar rootkit to store additional user-mode and kernel-mode modules that malware can download and execute. Avatar rootkit doesn't store malicious modules in any standard NTFS storage, except for infected system drivers.
The principal functionality of the malware are:
- command center communications
- parsing configuration information
- read/write into hidden file storage
- communicating with the rootkit driver
- installing additional user-mode and kernel-mode modules
The post highlight the flexibility of the malicious agent:
"Of course, this means the initial infection can be the starting point of a variety of malicious activities based on the modules that deployed. In our case the payload component avcmd.dll was injected into svchost.exe system process which started communicating with C&C IP addresses stored in the configuration file. "
Another interesting feature implemented by authors of the rootkit in the protection of communications with the command center with a custom encryption algorithm which output is base64-encoded, Avatar rootkit has an additional way of communicating with the C&C server searching for messages in Yahoo groups using special parameters. The technique is not new and is very efficient to protect the malware over sinkhole attempts of security firms, because information about C&C's domains is encrypted using an RSA asymmetric algorithm.
On the use of Yahoo Groups as C&C the report states:
"The group description is encrypted with an RSA algorithm and a 1024-bit private key. It is possible to decrypt this data with the public key stored in the configuration file. We suppose this information is to be found in the encrypted message used for returning control for a botnet without an active C&C."
But Avatar rootkit appears a very complex and articulated project, it is accompanied by a list of API for developing additional components based on the Avatar Runtime Library, a special SDK for developing additional user-mode components which allow communication with the Avatar rootkit driver.
Win32/Rootkit.Avatar is considerable a sophisticated rootkit family having many interesting features to avoid detection by security software, due this reason security experts believe that the agent has been developed for long term infection by the system executing the attack.
Avatar rootkit may hold many surprises in the next future.