Remove TDL4 - Purple Haze Pihar bootkit Variant by Britec

Win32/Olmarik.AYD (TDL4) bootkit family (The Evolution of TDL: Conquering x64) and this time we are seeing key modifications to the dropper and hidden file system. In the dropper we find some interesting mechanisms for privilege escalation: this is something we haven't seen before in Win32/Olmarik droppers. The first interesting discovery is that the dropper downloads and executes a legitimate Adobe Flash Player installer to be launched in the context of the "trusted" application. In the November of the last year Win32/Sirefef (ZeroAccess) used the same technique to implement a DLL hijacking attack with the msimg32.dll module.

[ Ссылка ]

[ Ссылка ]

more info about this rootkit here
[ Ссылка ]
----------------------------------------------
need more help and tips?
[ Ссылка ]

свернуть