They have come to give the message of death and punishment to the one who eats them," said Swami Chakrapani, the National President of All India Hindu Mahasabha. Believe it or not, he drew an analogy with Lord Narsingh taking an avatar to kill a demon with that of Chinese being "taught a lesson" of not "torturing animals and turning vegetarian".
Bizarre it may sound, but Swami Chakrapani went on to claim that there's a way out of this health epidemic, for the Chinese. According to him, the Chinese president Xi Jinping should "create an idol of Corona and seek forgiveness" and all non-vegetarian Chinese populace "pledge of not harming any innocent creatures in future, then the anger if Corona will come down".
In a further embarrassing statement, he added, if Chinese follow his prescription, the "avatar" will "return to its world". The Hindu Mahasabha Chief, however, assured Indians of not being wary of the deadly virus, notwithstanding three people are already detected with the deadly disease in India. According to him, "God worshipping and Gau Raksha believer Indians" are immune to coronavirus.
On the infected machine, additional user-mode and kernel-mode modules can be downloaded and executed that are stored in the hidden file storage. Avatar does not store malicious components in any standard NTFS storage, except for infected system drivers.
The user-mode payload code injection uses the KeInitializeApc routine to initialize an APC user-mode object and schedules the execution of this thread into the system process address space. Its main functionalities are:. Of course, this means the initial infection can be the starting point of a variety of malicious activities based on the modules that deployed. In our case the payload component avcmd. This configuration file has the following structure:.
In order to protect communications with the command center, a custom encryption algorithm is used, which output is baseencoded. The payload tries to search for messages in Yahoo groups using special parameters. After strings are concatenated, the resulting byte sequence is encrypted using a custom algorithm with a bit key from the configuration file. After encryption the resulting string is encoded with a base64 algorithm, after which all letters are converted to upper case and some symbols are filtered out.
An example for botnet BTN1 looks like this:. If the search request is successful, the next step is to check the group number and read the group description data. The group description is encrypted with an RSA algorithm and a bit private key. It is possible to decrypt this data with the public key stored in the configuration file.
After we identified this functionality, we started to search for possible messages on the Yahoo groups web site. The search request looks like this:. We were able to decrypt this message using the known RSA public keys from the configuration information.
The key from the BTN1 botnet successfully decrypted this message:. The authors of this blog post suspect that this Yahoo group was created to test this communication functionality because it includes the same information already present in the BTN1 configuration file.
Avatar has a special API for developing additional components without the source code of the Avatar rootkit. This development process is based around the Avatar Runtime Library, a special SDK for developing additional user-mode components which allow communication with the Avatar rootkit driver. After analysis of the Avatar Runtime Library SDK it seems like a development project by a really skilled system developer or developers.
We think that the malware developers worked on it for not less than half year because many kernel-mode techniques need lengthy testing to ensure stability. Avatar is an interesting rootkit family using many interesting techniques for bypassing detection by security software. Rootkits at the level of sophistication of Avatar or Gapz can be used for long term infection by the system executing the attack. Avatar does not store its files in the standard file system and its technique for driver infection makes it harder for typical forensic approaches to be used for successful incident investigation.
Dropper1 BTN1 botnet — b2b3bb4b7c5aaa8abe5a79db8b Dropper2 NET1 botnet — a9aacae5f62eecfde. Newsletter Submit.
0コメント