TDL4 reloaded: Purple Haze all in my brain
(Publication) Google search: [1]
TDL4 reloaded: Purple Haze all in my brain | |
---|---|
Botnet | TDL-4 |
Malware | TDL-4 (bot), Purple Haze, ZeroAccess |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2012 / February 3, 2012 |
Editor/Conference | ESET |
Link | http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com (blog.eset.com Archive copy) |
Author | David Harley, Eugene Rodionov, Aleksandr Matrosov |
Type |
Abstract
“ This week we received an untypical sample of Win32/Olmarik.AYD (TDL4) from Mila (of the contagiodump blog). We have already spent a long time tracking TDL4 bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR875, editor = {ESET}, author = {David Harley, Eugene Rodionov, Aleksandr Matrosov}, title = {TDL4 reloaded: Purple Haze all in my brain}, date = {03}, month = Feb, year = {2012}, howpublished = {\url{http://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain blog.eset.com}}, }