Remove TDL4 – Purple Haze Pihar bootkit Variant

Remove TDL4 – Purple Haze Pihar bootkit Variant by Britec

Win32/Olmarik.AYD (TDL4) bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven’t seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the “trusted” application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.

more info about this rootkit here

Leave a Reply