[EP_X0FF]

Hi,
I'm new at analyzing the ZerpAccess malware family- so i'm sorry if i'm gonna ask a newbie question-
How can be certain that i successfully infect myself with ZeroAccess ?
While i analyzed Dridex there was some threads in Explorer.exe that was created upon successful infection, is there any thing similar with ZeroAccess ?

Permanent UDP traffic from svchost.exe in this version. Handle opened for peer bootstrap list @ inside svchost.

[MalwareTech]

They actually identical and belong to the same "test" botnet, which is doing nothing and core components untouched as well as bootstrap list. Nothing new. Probably the only difference so far is the xor key used to decrypt image data in the high level dropper code, which is looks like set up automatically by bot builder when it insert encrypted lower level dropper as image into high level dropper resource, plus different build time. Why high level dropper is not obfuscated at all?

Bootstrap list looks changed to me, but it is weird there is only uncrypted bins.

[EP_X0FF]

They actually identical and belong to the same "test" botnet, which is doing nothing and core components untouched as well as bootstrap list. Nothing new. Probably the only difference so far is the xor key used to decrypt image data in the high level dropper code, which is looks like set up automatically by bot builder when it insert encrypted lower level dropper as image into high level dropper resource, plus different build time. Why high level dropper is not obfuscated at all?

Bootstrap list looks changed to me, but it is weird there is only uncrypted bins.

They are absolutely the same.

Binaries compiled and after few hours uploaded by author(!) on VT. lol, wtf they doing?

[MalwareTech]

They actually identical and belong to the same "test" botnet, which is doing nothing and core components untouched as well as bootstrap list. Nothing new. Probably the only difference so far is the xor key used to decrypt image data in the high level dropper code, which is looks like set up automatically by bot builder when it insert encrypted lower level dropper as image into high level dropper resource, plus different build time. Why high level dropper is not obfuscated at all?

Bootstrap list looks changed to me, but it is weird there is only uncrypted bins.

They are absolutely the same.

Binaries compiled and after few hours uploaded by author(!) on VT. lol, wtf they doing?

2 of the binaries i got have different s32 and s64 files

I guess they are testing something or someone is changing compile data and uploading for trolling

[kmd]

hi, why number of bots online so small?

[EP_X0FF]

hi, why number of bots online so small?

It can be just a one botnet of possible unknown number of this ZeroAccess variant, lets call it <A>. We have key to <A> bootstrap list - initial list of peers bot attempt to connect. Different botnet <B> will have completly different bootstrap where all peers will be unknown to <A>. So currently monitoring peers in <A> is making no practical sense as you monitor only one cell of unknown number existing. The only possible sense - crawling plugins, but again plugins of <B> can be completly different than plugins in <A> and currently botnet <A> have only generic plugins - callback address plugin and bot tracking plugin. I think number of botnets running on this particular version of ZeroAccess is more than 1, especially when you have this malware for about 1.5 years online.

[EP_X0FF]

3 weeks later. This is all you need to know about modern AV "industry" of fake-AV's and "security" companies investigating "state sponsored" APT script-kiddie shit and bin-diffing MS patches.

Even in static scan they failed. Note nothing is crypted here.

Callback address plugin - as downloaded (despite the fact they are resource only dlls they still part of ZeroAccess)
https://www.virustotal.com/en/file/0491 ... 453792440/ (2/53) ZERO correct names
https://www.virustotal.com/en/file/2e6a ... 453792458/ (2/53) ZERO correct names

Callback address plugin - as loaded in memory
https://www.virustotal.com/en/file/1df9 ... /analysis/ (0/44) Nothing
https://www.virustotal.com/en/file/0ea4 ... 453792638/ (0/54) Nothing

Tracker plugin - as downloaded
https://www.virustotal.com/en/file/f8ad ... 453792463/ (2/54) 1 correct names
https://www.virustotal.com/en/file/7f1d ... 453792469/ (1/53) ZERO correct names

Tracker plugin - as loaded in memory and executed
https://www.virustotal.com/en/file/b56e ... 453792647/ (6/54) 2 correct names
https://www.virustotal.com/en/file/0f7c ... /analysis/ (3/53) 1 correct detection

UAC bypass dll - as loaded and executed in memory
https://www.virustotal.com/en/file/2e27 ... 453792497/ (5/54) 2 correct names

P2P dlls - more correct detections just because these modules share > 50% of code with previous version of ZeroAcceess

https://www.virustotal.com/en/file/949d ... 453792487/ (30/53) 10 correct names
https://www.virustotal.com/en/file/3700 ... 453792513/ (29/53) 10 correct names

Dropper itself (again more detection because it share most of the code with previous ZeroAccess version)
https://www.virustotal.com/en/file/7bab ... 453792475/ (43/53) 15 correct names

Dropper as it executed
https://www.virustotal.com/en/file/6a62 ... 453792480/ (33/46) 6 correct names

Remembering these autists from Phallus Group who investigated Delphi Rombertik for a few months it is clearly that: when malware is litte bit complicated than usual dotnet or zeus crap and what is most important - can be used for company marketing purposes - then it is called APT. When it more complicated than average AV "analyst" can understand - then it is not malware, so dgaf about it.

[R136a1]

I am also surprised that the return of this botnet got no attention by any of the big security companies. Especially, because it's one of the few remaining malware families which deserves the term "sophisticated". On the other hand, it is understandable after they proclaimed victory over the botnet two years ago... No media attention -> no detection

[MalwareTech]

I am also surprised that the return of this botnet got no attention by any of the big security companies. Especially, because it's one of the few remaining malware families which deserves the term "sophisticated". On the other hand, it is understandable after they proclaimed victory over the botnet two years ago... No media attention -> no detection

It didn't get any attention becauase ZeroAccess is gone!! it was shut down permanently!! doesn't exist anymore!! Move along people, nothing to see here.


On a more serious note, I've got a tracker online here: https://intel.malwaretech.com/botnet/za3/?m=5 I'm trying to figure out if it's spreading at all, there does seem to be a very slow growth in number of online bots per day but that could be just all the crawlers using EP_X0FFs source



Number of unique IPs per a day is about 2000 (due to lots of the bots having dynamic IPs), but as you can see the number is slowly increasing, though again could just be new crawlers. It's a very small scale operation (probably testing) and as EP_X0FF said all the samples are unencrypted; If they are spreading it would be very slowly and hard to tell apart from normal DHCP churn.

[R136a1]

I'm trying to figure out if it's spreading at all, there does seem to be a very slow growth in number of online bots per day but that could be just all the crawlers using EP_X0FFs source

I am also trying to figure out the infection vector itself for some time, but it remains unknown to me. I have found only one encrypted dropper sample which gives a clue about the spreading method.

This dropper was uploaded to VT two times as "Setup.exe" inside ZIP archives with the following names:
sof-andreevna-tolsta-povarenna-kniga.zip
vaz-2107-ploho-nagrevaets-dvigatel.zip

If anyone has more information, please share. Thanks.