A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18662  by EP_X0FF
 Sat Mar 23, 2013 1:11 pm
In attach you will find pack of files currently rotating in ZeroAccess p2p network. One of them (well to be more correct - part of this file) is a direct reference to TDL3 :)
  • 00000001 - resource only dll, used by 80000000
  • 800000cb - export 800000_cb routine performing payload decryption and injection to svchost.exe (more about it below)
  • 80000000 - works with NTFS EA to store/read data under "U" directory (item 001 & 002), contains list of supported commands (send, recv, disk, cnct).
As for me it was most interesting to find reference to TDL3, so here is it. It is inside 800000cb file. This file works like a loader for actual payload. Starting from VA 0x000015BA located payload encrypted with xor. To decrypt it use algo from previous post http://www.kernelmode.info/forum/viewto ... 653#p18653, key is different and it is 0x12345678. Once decrypted you will find that it is actually MSCF - cabinet file. Overall sirefef really likes to use Cab archives in it droppers. This cab contains file named noreloc.cod (attached) which is combination of shellcode + attached dll, together almost 27 KB in size. Shell used here is similar to shell used by Sirefef that infects services.exe. And finally dll, which is reincarnation of TDL3 z00clicker.dll, while work it registers window class with the name z00clicker3, 3 here probably stands for version :)

https://www.virustotal.com/en/file/138f ... /analysis/
https://www.virustotal.com/en/file/e0d7 ... /analysis/
https://www.virustotal.com/en/file/8744 ... /analysis/
https://www.virustotal.com/en/file/9a9d ... /analysis/
https://www.virustotal.com/en/file/e64c ... /analysis/
Attachments
pass: malware
(15.12 KiB) Downloaded 66 times
pass: malware
(24.37 KiB) Downloaded 68 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18664  by EP_X0FF
 Sat Mar 23, 2013 1:34 pm
Hehe. Few different ZeroAccess variants running right now, one from 2012 summer, if they download anything interesting I will attach here ;) As for now they rotating above files with periodical updates of 00000001 and 800000cb, 80000000 wasn't updated since October 2012.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18665  by rinn
 Sat Mar 23, 2013 1:57 pm
I remember ZeroAccess pushed special Anti-TDL plugin in a middle of 2011, prevx posted about it :)

Best Regards,
-rin

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18666  by EP_X0FF
 Sat Mar 23, 2013 2:11 pm
rinn wrote:I remember ZeroAccess pushed special Anti-TDL plugin in a middle of 2011, prevx posted about it :)
Yes, it was amusing.

http://www.kernelmode.info/forum/viewto ... 7911#p7911

That guy from Webroot made a few mistakes describing stuff (he was generally sort of moron, who copy-pasted TDL4 discovery from this site in his blog as his achievement, and well promoted their fakeav in 2006 year with hysterics about LinkOptimizer infection):

1. cmd.dll and cfg.ini was only in TDL4, if it were targeting TDL3 as proclaimed in this article then it had to find tdlcmd.dll and config.ini. The only after some period of time were found TDL3 clones which used TDL4 filenames, but their amount was a little and insignificant.
2. ZeroAccess AV plugin distribution time, apprx starting of summer 2011 - so when it was released TDL3 already was replaced by TDL4 (released in July-August 2010, while TDL3 almost died in the beginning of 2010 autumn).

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18676  by EP_X0FF
 Sun Mar 24, 2013 4:10 am
hx1997 wrote:ZeroAccess Dropper

MD5: 251AC3A16EA2985DEE8C17726EEF6EFE

VT 5/45
https://www.virustotal.com/en/file/a338 ... 364095211/
This is newly obfuscated dropper of http://www.kernelmode.info/forum/viewto ... 553#p18553, only dropper obfuscation refreshed, everything else is the same.

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18685  by EP_X0FF
 Mon Mar 25, 2013 4:52 am
Sirefef x64 p2p network payload + decoded z00clicker3 dll. The same as x86-32, just recompiled for x64.

https://www.virustotal.com/en/file/eab9 ... /analysis/
https://www.virustotal.com/en/file/f0b2 ... /analysis/
https://www.virustotal.com/en/file/d6d1 ... /analysis/
https://www.virustotal.com/en/file/bdff ... /analysis/
Attachments
pass: malware
(61.91 KiB) Downloaded 76 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18787  by EP_X0FF
 Mon Apr 01, 2013 10:19 am
Such a epic static detection ratio.

Detection ratio: 1 / 46

SHA256: e13b509fae7a12e7ed71c3ff2400bdb0beb31c1372db3c31f1e71dd1c89903bd
SHA1: 95f498a52a816ee9fb105dabb0bc2d5477537300
MD5: 251e2d015c819dd696322d6550a9c206

https://www.virustotal.com/en/file/e13b ... 364811045/

Dropper + extracted fresh crypted p2p.32.dll attached.
Attachments
pass: infected
(207.81 KiB) Downloaded 72 times

Re: ZeroAccess (alias MaxPlus, Sirefef)

 #18797  by EP_X0FF
 Mon Apr 01, 2013 4:49 pm
Two Sirefef's with file infection method, payload of BH EK.

Both Detection ratio: 2 / 46

SHA256: 531d1d42360481bce00b4cfb07688917c318cfcfa21eba7cbc6362dadf747236
SHA1: 4454ba600884e434c82605f48ee6a69a8365b02f
MD5: aa4952dfe913be3fdc13ca0d500044ba

https://www.virustotal.com/en/file/531d ... /analysis/


SHA256: 6dc9ffcd1831dcd60c2b39775286dbddaa435df8fc23d0893583333bc494f476
SHA1: ba27cb7bbbddf8d4bca5362884584e847a2a37fb
MD5: 42ca080757a94bf05f4368ed3be40330

https://www.virustotal.com/en/file/6dc9 ... /analysis/
Attachments
pass: infected
(271.68 KiB) Downloaded 64 times
  • 1
  • 35
  • 36
  • 37
  • 38
  • 39
  • 56
 Return to “Malware”