TDL4 reloaded: Purple Haze all in my brain

From Botnets.fr
Revision as of 15:23, 7 February 2015 by Eric.freyssinet (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

TDL4 reloaded: Purple Haze all in my brain
Purplehaze1.png
Botnet TDL-4
Malware TDL-4 (bot), Purple Haze, ZeroAccess
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / February 3, 2012
Editor/Conference ESET
Link http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com (blog.eset.com Archive copy)
Author David Harley, Eugene Rodionov, Aleksandr Matrosov
Type

Abstract

This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR875,
   editor = {ESET},
   author = {David Harley, Eugene Rodionov, Aleksandr Matrosov},
   title = {TDL4 reloaded: Purple Haze all in my brain},
   date = {03},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com}},
 }