A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

ZeroAccess DGA

 #16389  by Peter Kleissner
 Sat Nov 03, 2012 7:57 am
Attached all the possible domains for 2011/2012. I used the algorithm from the Prevx document (which dates to 7/20/2011).

It might be interesting sinkholing it and checking how many zombies still use that DGA. Though it's kinda stupid they are using the .cn extension, difficult to register and expensive.
Attachments
(16.38 KiB) Downloaded 62 times

Re: ZeroAccess DGA

 #16397  by EP_X0FF
 Sat Nov 03, 2012 10:00 am
Peter Kleissner wrote:Attached all the possible domains for 2011/2012. I used the algorithm from the Prevx document (which dates to 7/20/2011).

It might be interesting sinkholing it and checking how many zombies still use that DGA. Though it's kinda stupid they are using the .cn extension, difficult to register and expensive.
I don't think they are use the same algorithm in current version. Brief looking at current versions attached in this thread didn't revealed any equal to Prevx article code in both user mode and rootkit Sirefef versions. Probably it was changed long time ago and since Sirefef is growing botnet, likely number of old infected machines not so significant compared to new. Correct me if I wrong of course.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #16733  by Aleksandra
 Tue Nov 20, 2012 8:05 pm
_http://kokl.fivtrans.ro/n199.exe

MD5: c1eafce874bef1e8dd02b3fb29bdf387
SHA1: 4e6cbd473391d937a546821cc64612b00c0b7fca
https://www.virustotal.com/file/40ba925 ... /analysis/

Dropper and forged driver in attach.
Attachments
pass: virus
(48.87 KiB) Downloaded 87 times
pass: virus
(165.92 KiB) Downloaded 95 times
  • 1
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
 Return to “Malware”