Avatar rootkit: the continuing saga

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

Avatar rootkit: the continuing saga
Botnet Avatar
Botnet/malware group
Exploit kits
Feature File download
Distribution vector
Operation/Working group
Date 2013 / 2013-08-21
Editor/Conference ESET Welivesecurity
Link http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/ (Archive copy)
Author Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov
Type Blogpost


Back at the beginning of May we posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? We continue our research and are still tracking this malware family. In the middle of July we detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post we confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1882,
   editor = {ESET Welivesecurity},
   author = {Aleksandr Matrosov, Eugene Rodionov, Anton Cherepanov},
   title = {Avatar rootkit: the continuing saga},
   date = {21},
   month = Aug,
   year = {2013},
   howpublished = {\url{http://www.welivesecurity.com/2013/08/21/avatar-rootkit-the-continuing-saga/}},