Avatar Rootkit Uses Yahoo for C&C

Friday, May 3, 2013 @ 04:05 PM gHale

A sample of the Avatar rootkit is now in researchers hands and they have found the malware infects drivers in order to bypass host-based intrusion prevention system (HIPS) and to ensure it can step into action even after a system reboot.

The catch is, though, the malware only infects x86 systems, said ESET researchers. Those are some of the conclusions found after the researchers conducted an analysis of the Win32/Rootkit.Avatar family.

Trojan Variant Packages with Rootkit
Trojan Hides on Blogging Platform
Spam Leads to ZeuS
Spam Campaign Hits Snapchat

The payload analyzed by the security firm doesn’t have any out of the ordinary features.

It can parse configuration information, read and write into hidden file storage, communicate with the rootkit driver, install additional modules and communicate with its command and control (C&C) server.

Another aspect regarding the Avatar rootkit is the fact that it uses Yahoo groups to communicate with the C&C if other channels are not working properly.

The complete technical details are available on ESET’s security blog.

Leave a Reply

You must be logged in to post a comment.