Avatar rootkit: the continuing saga
Jump to navigation
Jump to search
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
(Publication) Google search: [1]
Avatar rootkit: the continuing saga | |
---|---|
Botnet | Avatar |
Malware | |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | File download |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2013 / 2013-08-21 |
Editor/Conference | ESET Welivesecurity |
Link | http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/ (Archive copy) |
Author | Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov |
Type | Blogpost |
Abstract
“ Back at the beginning of May we posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? We continue our research and are still tracking this malware family. In the middle of July we detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post we confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1882, editor = {ESET Welivesecurity}, author = {Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov}, title = {Avatar rootkit: the continuing saga}, date = {21}, month = Aug, year = {2013}, howpublished = {\url{http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/}}, }