Threat Database Trojans Win32/Olmarik.AYD

Win32/Olmarik.AYD

By LoneStar in Trojans

There is no doubt that the TDL4 bootkit is one of the most dangerous and widespread malware infections of the past years. Win32/Olmarik.AYD is one of the many variants in this dangerous malware family. While Win32/Olmarik.AYD has some characteristics that are largely uncommon when it comes to TDL4, this is not too surprising since one of the most dangerous characteristics of Win32/Olmarik.AYD is the fact that Win32/Olmarik.AYD is constantly updated and tweaked in an attempt of staying one step ahead of PC security researchers at all times.

Malware analysts always have an eye on the evolution of the TDL4 bootkit family since it is the one to be blamed for a big chunk of severe malware attacks around the world. Win32/Olmarik.AYD represents various important changes to the Trojan dropper for this dangerous rootkit (the Trojan that delivers the TDL4 rootkit onto the victim's computer system) and to this rootkit's actual hidden file system. Let us remember that TDL4, like all rootkits, creates a hidden file system which allows it to remain hidden from detection and out of reach from conventional anti-virus programs.

Changes in Win32/Olmarik.AYD from Previous Versions of the TDL4 Bootkit

Without getting too technical, the Trojan dropper that allows the TDL4 bootkit to take over the victim's computer system now downloads and executes the Adobe Flash Player Installer as a way to trick the victim's computer into allowing Win32/Olmarik.AYD as a 'trusted' application. This technique was seen before in 2011 with various versions of the ZeroAccess rootkit. Using this exploit, Win32/Olmarik.AYD can use a corrupted DLL file in order to install the TDL4 bootkit on the victim's computer system. Another new feature implemented in the Win32/Olmarik.AYD infection involves a new technique for attacking 64-bit operating systems, the newest advance in the hackers' arsenal for conquering the secure 64-bit Windows. While the actual infection mechanism remains the same, criminals have now stored the malicious modules which attack the victim's computer with encryption.

By encrypting portions of Win32/Olmarik.AYD, criminals can bypass ways in which common security software detected and removed previous versions of the TDL4 bootkit (by searching for these specific components that are encrypted in Win32/Olmarik.AYD). Various PC security researchers have started to give Win32/Olmarik.AYD the nickname 'Purple Haze' since this is the name for an updated configuration file for Win32/Olmarik.AYD which makes various tweaks and smaller changes to the various components of TDL4 in order to allow them to bypass some security systems put into place. Fortunately, PC security analysts have already released updated TDL4 removal tools which also have the capacity to overcome the newest features included in Win32/Olmarik.AYD.

Trending

Most Viewed

Loading...