ESET Releases Avatar Rootkit’s Analytical Study

Three months back (February 2013), ESET the Internet security company became aware about one fascinating rootkit namely 'Avatar', which Russian cyber-crime websites advertised. Since then, only now, the rootkit's foremost and other variants have been detected, thanks to the researchers at ESET who've found those variants, which let them to conduct one study of Win32/Rootkit.Avatar and its family components.

Notably, by infecting drivers, Rootkit Avatar circumvents HIPS (host-based intrusion prevention system), while makes sure it becomes active despite a system-restart. Nevertheless, Avatar merely contaminates x86 computers.

Interestingly, when ESET examined Avatar's payload, it found no extraordinary feature as different from the standard. The payload could parse configuration details, write/read concealed file storage, exchange messages between itself and Avatar's driver, load more malware, as also interact with its central C&C (command-and-control) infrastructure.

One more factor making Avatar significant apparently is its utilization of Yahoo groups for sending-and-receiving messages from the C&C server when no other channel is functioning alright. There then occurs a search for messages inside Yahoo clusters controlling specified factors.

Meanwhile, there's an important Application Programming Interface (API) for the Avatar rootkit which helps it construct more components that, however, is its source formula. This construction takes place around one 'Avatar Runtime Library,' one particular kind of 'software development kit' (SDK), to construct extra user-mode elements which allow interaction with Avatar's driver.

The variant i.e., Win32/Rootkit.Avatar represents one rootkit family that's constantly working while controlling several working techniques to circumvent security products. When rootkits such as Gapz and Avatar are treated to become sophisticated they can be utilized to have a long-running infection with the help of an element launching the assault. The rootkit under study doesn't stack files within any typical record complement, as well as any method to cause motorist infection makes difficult to have typical debate strategies for getting utilized to experience effective occurrence investigation.

Lastly, Win32/Rootkit.Avatar uses more methods for reinstating botnet control in case certain authority core gets dismantled alternatively there's interruption to CC. To sanitize, first the motorist of Avatar rootkit along with user-mode payload must be destabilized followed with possibly cleansing else reinstating any complement driver.

» SPAMfighter News - 5/7/2013