Purple Haze is a new malware that is similar to TDL. I recently got a sample from an excellent malware analysis/reversing forum kernelmode.info and had a quick look at the code (goodbye my weekend :)).
The code is actually very interesting and some parts of it have been already covered by ESET’s blog. What caught my attention from a forensics perspective though was that one of the modules malware uses (ad clicker component I presume) is relying on a simple anti-forensics code to clean up the cache:
Comments are closed.