Back in February, experts from security firm ESET learned of an interesting rootkit that was advertised on Russian cybercrime forums. Until recently, no one has been able to find a sample of the rootkit dubbed Avatar.
ESET security researchers have identified a couple of samples which allowed them to perform an analysis of the Win32/Rootkit.Avatar family.
The Avatar rootkit infects drivers in order to bypass host-based intrusion prevention system (HIPS) and to ensure that it can step into action even after a system reboot. However, the malicious element only infects x86 systems.
The payload analyzed by the security firm doesn’t have any out of the ordinary features. It can parse configuration information, read and write into hidden file storage, communicate with the rootkit driver, install additional modules and communicate with its command and control (C&C) server.
Another noteworthy aspect regarding the Avatar rootkit is the fact that it uses Yahoo groups to communicate with the C&C if other channels are not working properly.
The complete technical details are available on ESET’s We Live Security blog.