We present you here previously announced product.
In connection with work on other projects, we moved the release date for the public from May to February 2013th 2012go.
Now nuclear rootkit AVATAR is available for rental.
Some technical data:
- Technologies used:
.......... * Privilege escalation exploits to ring0 (not pablik)
.......... * Workarounds UAC on Vista to W8, 0-day
.......... * Method to download the driver from memory (bypassing HD), 0-day
.......... * DKOM in the nucleus and nuclear components of the OS
* .......... Infection bottles driver OS
* .......... Dynamic substitution miniport hard disk drive
Concealment .......... * / fake disk data at the level of substitution sectors
* .......... Nuclear inject into processes, the system "avatars"
.......... * Polymorphic protocol bot server
.......... * No reference to the C & C
- Payload: drivers, plug-ins command center, independent custom modules
- Control method: a hybrid (C & C and / or "special method")
- The size of an exe (not pkg.): 120 KB
- Written in: C / C + + / ASM
- The number of lines of source code written: 327416
- Supported processor architectures: x86
- Supported OS: The entire line of Windows from Windows XP and to Windows 8
- Can not detect anti-rootkits: GMER, RKU
- Not detected firewalls: KIS12, COMODO CIS 2013, McAfee Internet Security 2013, Norton Internet Security 2013, and others
At this point in the botnet scene in a situation where efforts to maintain the number of botnet constantly falling in many cases are close to the red edge of profitability as its means and temporal costs. We remember those good old days when botnets lived long and growing fast. The desire to build a bot fully meet modern requirements and was the impetus to the creation of AVATAR.
Our rootkit is designed to create a multi-million dollar "undying" botnets and do not require regular cleanings as yourself and custom modules. The system is a parallel world of AVATAR for Windows. Custom modules and plugins using the so-called "avatars" for the job. The software user shell of the same name, "Avatar" is a virtual space in which "live" your process. Making avatars occurs in the nucleus by a unique technology allows not just quietly and safely "walk" on the processes but these processes and assign any rights. This is especially useful for those who write the tools to work in applications that are likely to have low right even if uchetka is in the group admins.
AVATAR completely a penetrated into the system and is its integral part. Universal nuclear code analyzer allowed to build a rootkit is not banal and hookah on Nate code, ie code deep within living systems. As a result, analyzers, nuclear scanning objects for suspicious code modifications not cling to anything. All modifications are also reflected in the original files at the level of substitution sectors screw. Rootkit body is in its own file system (FS) disposed in the free area of ??the hard disk and protected from view as well as from the recording. To protect your data from a remote file system analysis (for example through the Live CD), they crypt on the fly using samopisnogo crypto algorithm.
As mentioned in the announcement of our rootkit is independent (of modifications OS) to add Windows, you can hide, any activity in the system as well as the presence of hiding themselves and custom modules. Working with the file system OS is based on the substitution of (non-hookah!) Miniport hard disk drive, that is, work is being done "at the bottom" that allows Leave unnoticed proaktivok and anti-rootkit. Miniport driver each time rebuilt on the fly (in memory) at boot time, and so soft that performs file analysis on the basis of sector reading the hard drive can not see anything suspicious and sees only the data that gives (substitute) rootkit itself. AVATAR is not a bootkit, are the bearers of his boot device drivers, critical areas are restored (in memory) to the original view each time before its launch. For this reason, AVATAR removed from the system harder than bootkit (Achilles' heel bootkit - MBR (VBR)). Trying to treat drivers will likely result in blue screens, and one option remains - reinstal system.
Custom modules are included in the job (as mentioned above) using avatars - special virtual spaces at the required processes. Not to be confused with the avatars as banal Inject "Avatar" is a comprehensive tool for covert operation in any process. Picture provides not only the introduction of the code but the controls and modify on the fly nuclear facilities of the process to ensure that the first is "correct", neytivnuyu execution environment, for example, to avoid unexpected "departure" of the process, and secondly, stealth (using internal kernel functions) and the third, - avatar automatically gives all the necessary process (Admin / System) human rights, regardless of the current account, which is especially useful for those who injects into browsers - they are generally the lowest in the right system. Plus much more, making the picture to your units grow "as out of the ground" in any process smss.exe from below and without harm to the latest and hails proaktivok.
Custom modules can be three types of drivers, plug-ins (extensions to the command module), and independent modules. Loading modules as ownership and management all work rootkit is using the web admin. In the web admin implemented all the necessary functionality to run, update and manage your modules. Using the plug-ins you can add any functionality to the command module. Development of plug-ins is trivial and well documented (c examples) in ASDK (Avatar Software Development Kit). Independent modules and driver is, in fact, your payload, performing your tasks. For ease of use for developers, a special runtime library ARTL (Avatar Runtime Library). ARTL export functions such as the creation of avatars and landing in any process, assigning rights (tokienov) of one process to another, launch drivers from the repository AVATAR, etc. Working with the file system AVATAR of custom modules is completely transparent, ie read / write quite normal WinAPI or Native API functions. Each module is triggered by a special structure with all the necessary information to work with a rootkit, including the secret path to the repository AVATAR, unique to each bot.
In all components of AVATAR provides many exclusive technologies. For example, to begin work on creating a botnet does not need a server. That is, Bots can simply load "in proc." Your C & C server (s) can be switched on at any time and all the bots will learn in a short period of its existence and will otstuk it. Even if the C & C server is compromised (stolen), and someone in the admin will give the command to update the new config file to your server, you will not lose because of bots master key is stored beneath your pillow. This is especially important when botnets contain millions of bots and loss of tangible and financial and time-consuming. Everybody remembers the hijacking (closing) of such powerful botnets like Waledac, Coreflood, Kelihos, Rustock, Conficker and other methods of protection and construction of a botnet networks using technologies such as P2P and fast-flux is not always justified. We offer a different solution, it is, as in general the whole architecture of AVATAR is not based on the "secrets" of the implementation, we are defending ourselves conceptually. This means that even if we send the source code of AVATAR in the AV lab, botnets have been destroyed.
The communications protocol bots C & C fully encrypted and polymorphic its algorithm. That is, for the same query will be a different team on both binary structure and the parameters. The encryption key is unique to each bot. Write a network detector traffic bot the logging protocol is impossible.
Avatars in the OS installation is done by a specially written for him 0-day practices. This is because the methods Fix exploits in the next update Windows and techniques live for years because are not based on specific software errors that can be a quick fix, and miscalculations in architecture. Such a method is our method progruz drivers directly from memory using standard (not sploit!). This method allowed us to significantly improve the survival rate because instale rootkit driver is never written to disk and loaded directly from memory, that is, does not require cleaning and never palitsya respectively. By the way, some nuclear is not a zero-day exploits, is also used as still useful in certain cases. Also, specifically for the project AVATAR, written 0-day method of bypassing UAC running up to W8. All exploits and methods for us to write PlayBit, who represented the forums in the past year, his sploit to load drivers.
Terms of installations:
- OS: - starting with Windows XP RTM to Windows 8 (including all intermediate versions and service packs)
- Processor: x86 (x64 in development)
- Minimum account privileges:
.......... * For systems with updates to 2012 - any user groups (ie as in any case)
.......... * For systems with the latest patches - uchetka Administrators group (with bypass UAC)
- Bypass proactive security, UAC:
* .......... For all systems (with updates included) - bypass UAC and proaktivok
proaktivki checked on Win7SP1 + [KIS12, COMODO CIS 2013, McAfee Internet Security 2013, Norton Internet Security 2013] (standard mode settings)
AVATAR is also the test for such a GMER anti-rootkit and RKU with a negative result for the latter.
Vectors further development:
- Nuclear RDP module
Terms of lease rootkit AVATAR:
Cost: 1500wmz 1600LR or a month.
Comes with: dropper configured on your server (changing the config free), various support tulzy, admin panel, ASDK, documentation, license bought the lease term.
There are no ready-made custom modules we currently do not provide as in most people, judging by the polls, their solutions to fit your theme. Therefore rootkit AVATAR is in pure form under any of your tasks.
Such a low price for a product of this class due to temporary lack of support for x64 and debut on the market.
In the future, the price will be adjusted to ensure that the product gets to the pros only.
This topic is for informational purposes and is not created for discussion, so please ask questions of the people concerned are not here, but privately to the PM. We are also ready to discuss interesting proposals for cooperation.
Willing to undergo any checks.
P.S. Proposals for sale AVATAR IS NOT accepted.
P.P.S. Employees of the AV companies discounts and bonuses =)
P.P.P.S. RK AVATAR distributed solely for informational purposes and is used to study and improve safety systems OS Windows.