The mysterious Avatar rootkit, detected by ESET as Win32/Rootkit.Avatar, appears to reflect a heavy investment in code development, with an API and a SDK available, plus an interesting abuse of Yahoo Groups for C&C communications.

Technical analysis of Power Loader, a special bot builder for making downloaders for other malware families and yet another example of specialization and modularity in malware production.

Win32/Gapz has a new technique for code injection and a new VBR infection method. The dropper has many tricks for bypassing detection by security software.

A new TDL4 sample includes novel privilege escalation mechanisms in the dropper and changes to the hidden storage system.

For the last few days, much malware research time has been devoted to the brand-new malware that ESET calls Win32/Duqu. One of the features that makes this kind of malware particularly interesting is that it very closely resembles Stuxnet, one of the most sophisticated worms of recent years. Last year we performed in-depth analysis of

…Aleksandr Matrosov, Senior Virus Researcher, & Eugene Rodionov, Rootkit Analyst, … have allowed us to share a long and comprehensive report on the TLD3 rootkit…

A reader recently sent in a batch of questions that I thought might be of general interest.  I also invited other members of the Research team to chime in with their thoughts. Question 1- When it is critical to give a malware specific name? [David Harley answers…] For detection/remediation purposes, it isn't really necessary for

So now for a little more tech detail on Win32/Conficker.AQ (kindly supplied by Juraj Malcho at our labs in Europe – however, if I get anything wrong, that will almost  certainly be down to my faulty interpretation!) The new variant has two main components. The server component is an .EXE that infects vulnerable PC’s in