Remove TDL4 – Purple Haze Pihar bootkit Variant

Remove TDL4 – Purple Haze Pihar bootkit Variant by Britec

Win32/Olmarik.AYD (TDL4) bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.

https://support.kaspersky.com/downloads/utils/tdsskiller.exe

https://www.surfright.nl/en

more info about this rootkit here
https://blog.eset.com/2012/02/02/tdl4-reloaded-purple-haze-all-in-my-brain

Leave a Reply