[rkhunter]

ZeroAccess Rootkit Launched by Signed Installers
http://blogs.mcafee.com/mcafee-labs/zer ... installers

[erikloman]

ZeroAccess Rootkit Launched by Signed Installers
http://blogs.mcafee.com/mcafee-labs/zer ... installers

Anybody got a sample? I would like to investigate the certificate. Thanks.

[Neurofunk]

Hi there I believe I have a sample of what you're looking for. I just found it on one of our machines. InstallFlashPlayer.exe (signed w/ Adobe cert which appears to be the same as the article's) located in the user's temp folder with msimg32.dll both hidden and flagged as system files. Ran sample on a test machine here then scanned with TDSSKiller Rootkit.Win32.ZeroAccess.K infection found.



I would provide Virus Total links but in its usual fashion it is down when I need to use it :(

edit: was able to get virus total to load 0 detections on the DLL File:
http://www.virustotal.com/file-scan/rep ... 1322003773

File name: msimg32.dll
Submission date: 2011-11-22 23:16:13 (UTC)
Current status: finished
Result: 0 /43 (0.0%)
MD5 : 4e9a37688bc1fa27397575ae9f367894
SHA1 : 50c05dde4ae7e3beaed0bc0877179376ab2ff1a4
SHA256: cfca3aefa86d3260e68b8f2307707bd26c61bac36a5f6b0a06f885edd625cf6d
ssdeep: 3072:v1R9uBG/SEeWnqHsKf8zp6XXbRFFP7tlpy5EJdOdIQ:tR9o29eWqHs5zp8b/Fzt7JdOyQ

[ConanTheLibrarian]

The file is empty.

[Neurofunk]

Just checking but they might have been compressed with the hidden /system flag on them. I'll strip those off and reupload it. Small oversight ;)

edit: fixed should be cleared of the hidden/system file flags reuploaded the new zip same password as before.

[a_d_13]

Hello,

Yes, files were compressed with system + hidden attributes. Both files are present and seem to be correct malware - thank you for sharing.

Thanks,
--AD

[markusg]

are you sure the exe file is a malware, when i delete dll file from folder the exe file is in it only starts flash player so i think the adobe installer is clean or im wrong?

[ConanTheLibrarian]

The installer is clean, but because of the exploit of using the dll in the current folder no matter what is hardcoded, the dll is loaded and infects the system.

[erikloman]

are you sure the exe file is a malware, when i delete dll file from folder the exe file is in it only starts flash player so i think the adobe installer is clean or im wrong?

It is msimg32.dll that gets loaded by the genuine official Flash Player Installer. The whole certificate thing, as McAfee wrote, plays NO ROLE.

The dll just makes use of the LoadLibrary hijacking 'feature' that loads DLLs in the current working folder BEFORE the dll in the system32 folder.
See also: http://www.computerworld.com/s/article/ ... ts_go_wild

Don't be fooled by VirusTotal not listing the msimg32.dll as malicious. It IS malicious and drops ZeroAccess.

[markusg]

ok i was only thinking i missed perhaps something because of the bad rating on vt