Microsoft MVP, Microsoft Support Visiting Expert,
Avatar rootkit: the continuing saga - We Live SecurityBack at the beginning of May we posted preliminary information about Win32/Rootkit.Avatar rootkit (Mysterious Avatar rootkit with API, SDK, and Yahoo Groups for C&C communication). One of the major questions not covered in that previous research was this: What payload and plugins does Avatar install onto infected machines? We continue our research and are still tracking this malware family. In the middle of July we detected a repacked Win32/Rootkit.Avatar with an active command and control (C&C) server. In this blog post we confirm that Avatar in-the-wild activity continues, and disclose some new information about its kernel-mode self-defense tricks.