TDL4 reloaded: Purple Haze all in my brain
(Publication) Google search: [1]
| TDL4 reloaded: Purple Haze all in my brain | |
|---|---|
| |
| Botnet | TDL-4 |
| Malware | TDL-4 (bot), Purple Haze, ZeroAccess |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / February 3, 2012 |
| Editor/Conference | ESET |
| Link | http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com (blog.eset.com Archive copy) |
| Author | David Harley, Eugene Rodionov, Aleksandr Matrosov |
| Type | |
Abstract
“ This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR875,
editor = {ESET},
author = {David Harley, Eugene Rodionov, Aleksandr Matrosov},
title = {TDL4 reloaded: Purple Haze all in my brain},
date = {03},
month = Feb,
year = {2012},
howpublished = {\url{http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com}},
}