AVATAR ROOTKIT …

Back at the beginning of May we posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? We continue our research and are still tracking this malware family. In the middle of July we detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post we confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.

Configuration information for analyzed samples has the same format as discussed in our previous analysis at the beginning of summer. Decrypted, the configuration looks like this:

However, the main command center shown in the configuration information was not working at the time of our analysis and we checked the backup control system, which uses Yahoo Groups.

Win32/Rootkit.Avatar has an additional way of communicating with the C&C if other methods are not working correctly. The payload tries to search for messages in Yahoo Groups using special parameters. How this technique works was already described in our previous blog about Avatar. The specific group search parameters for this botnet look like this URL: hxxp://finance.groups.yahoo.com/group/I62TUUWM/. After activation this search request we found the following Yahoo Group with an encrypted message:

The group description is encrypted with an RSA algorithm and a 1024-bit private key from the bot configuration information. The message looks like this after decryption:

In our case the main C&C from configuration information was not active and the bot therefore tries to use the second communication channel via Yahoo Groups. After successful communication with the second C&C the bot received following command to download additional modules:

These instructions download two additional modules to infected machines:
cr.mod (Win32/Agent.UZD) – SOCKS5 proxy client
loader29.mod (Win32/TrojanDownloader.Zurgop.AZ) – also known as Smoke bot downloader

In the previous blog about the Avatar rootkit we had a question left open about the nature of the downloaded payload because not all C&C functionality was active at the time of our analysis. But this time we recognized one SOCKS5 plugin and one additional payload with Smoke bot.
Avatar self-defense tricks

When infecting a system the malware modifies one of the legitimate drivers already installed in the system and puts its modules and the payload into a hidden storage created at the end of the hard drive. So, in order to be able to stay undetected on the system, it protects the corresponding areas of the hard drive from being read or overwritten. To achieve this goal the Avatar hooks the storage miniport driver. This approach isn’t new and has already been employed by such complex threats as TDL3/4 Olmasco and others. However, its implementation details make it interesting and worth describing in the blog post. .

It tries to camouflage the hooks to look like a legitimately loaded kernel-mode driver. More specifically, the malware duplicates the image of the loaded hard disk miniport driver into kernel-mode address space and modifies it so as to be able to intercept disk read/write requests. Consider the following image representing which modifications are made to the system after infection with Avatar:

In other words, the malware remaps the image of the original kernel-mode driver into kernel-mode address space and uses one of its sections to inject malicious code. The Avatar looks for the section to infect – the name of which is ‘INIT’ – and the attributes field contains the value IMAGE_SCN_MEM_DISCARDABLE. This means that the contents of the section are unloaded from memory after the driver is initialized so that the malware is able to take advantage of the freed space to keep its malicious code there. As a result the malicious code will be located at addresses that belong to the legitimate image and, thus, won’t trigger any alarms from security software . The malware renames the section as ‘NONPAGED’ and removes the IMAGE_SCN_MEM_DISCARDABLE value from its attributes and writes malicious code into it.

The fields of the DRIVER_OBJECT structure corresponding to the hard drive miniport driver are modified as well so as to reflect the changes:

• DriverInit – entry point of the driver image

• DriverStart – base address of the image when loaded

• MajorFunctions – array of entry point of driver handlers, including IRP_MJ_INTERNAL_CONTROL

• DriverUnload – the routine executed upon unloading driver

• DriverExtension->AddDevice – the routine responsible for handling PnP devices

After such modifications the malicious code written into the new section in the fake image is able to intercept read/write requests to the hard drive, and therefore protect areas of the hard drive containing the rootkit components.

After that the malware cleans up traces of the original hard drive miniport driver left in the system so as to conceal the addresses of entry points of the original I/O handlers.

If one tries to read the image of the modified driver from the disk so as to compare it to the instance loaded into kernel-mode address space (with the fake instance) the malware will intercept the result of such an operation and return an unmodified driver. As a result it’s unlikely that the difference between the file read from the disk and the one in memory will be noticed. However, the digital signature of the modified driver is no longer valid.

HiddenFsReader update

A dump of the hidden file system presented here:

HiddenFsReader is only able to work correctly with an active Avatar infection. This is because in order to decrypt the hidden file system we need extract ten bytes of an encryption key that is stored in the Avatar driver and generated randomly by each infection. After disinfecting the infected machine it’s not possible to restore any filesfrom the hidden partition but this information can be helpful when following up with an investigation since interesting facts are revealed about names for directories and files within the hidden partition. These names of files and directories are generated randomly for each infected machine.

Win32/Rootkit.Avatar is an interesting example of malware with multiple techniques for bypassing standard forensic approaches and making analysis of this malware family more difficult.

Advertisements

Yahoo overtakes Google in U.S web traffics

Confounding analysts’ predictions, Yahoo sites attracted 196.6 million unique visitors last month, giving it the biggest audience of any US-based web property and overtaking Google for the first time since May 2011, according to analytics company comScore.

Yahoo’s unique visitors were up 21 per cent compared to July of last year, when it came in third behind Google and Microsoft. During the same period, Google sites, (including YouTube), attracted 192.3 million unique visitors, up less than 1 per cent.

Microsoft made third place in July, with 179.6 million unique visitors, followed by Facebook with 142.3 million and AOL with 117.4 million.

 

In an earnings call last month, Yahoo CEO Marissa Mayer noted that page views were rising after more than a year of declines, citing recently refreshed versions of Yahoo mail, weather, sports, news and Tumblr, both on desktop and mobile.
Related Articles
Pure sex app targets ‘open-minded’ Britain 22 Aug 2013
iTunes Radio to launch in September with McDonald’s and Nissan 21 Aug 2013
LG unveils highest-definition smartphone screen 21 Aug 2013
Mark Zuckerberg Facebook profile page hacked 19 Aug 2013
Sponsored Prism surveillance scandal: will you boycott the accused?

However, the comScore figures do not include Tumblr, (the social networking website Yahoo purchased last year), which pulled in 38.4 million unique visitors of its own in July. They also do not include mobile traffic, according to comScore, which is significant given that Yahoo is widely considered to be lagging in mobile.

Although the figures have raised a few eyebrows among industry commentators, comScore’s Andrew Lipsman told Forbes that Yahoo has never been far behind Google in terms of traffic, so the gain is probably due to seasonal or month-to-month variations.

The figures reflect only the number of visitors to each of the company’s various websites, and not how many people use their search engines. Google continues to dominate in search, with 67 per cent of the market in June, according to comScore. Microsoft Bing is ranked second with 17 per cent, followed by Yahoo with 12 per cent.

Yahoo’s real challenge is monetising its traffic. Revenues from display advertising, which is still Yahoo’s main source of revenue, fell 11 per cent in the second quarter of 2013 to $423 million, and the company has been forced to cut its full-year earnings-and-sales forecast