Avatar rootkit: the continuing saga

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Avatar rootkit: the continuing saga
Botnet Avatar
Malware
Botnet/malware group
Exploit kits
Services
Feature File download
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-08-21
Editor/Conference ESET Welivesecurity
Link http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/ (Archive copy)
Author Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov
Type Blogpost

Abstract

Back at the beginning of May we posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? We continue our research and are still tracking this malware family. In the middle of July we detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post we confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.

Bibtex

 @misc{Matrosov2013BFR1882,
   editor = {ESET Welivesecurity},
   author = {Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov},
   title = {Avatar rootkit: the continuing saga},
   date = {21},
   month = Aug,
   year = {2013},
   howpublished = {\url{http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/}},
 }