ZeroAccess (aka Sirefef) common information.
Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
Features: p2p engine for botnet organization.
ZeroAccess timeline, thanks to rin.
****************************************************************************************
Original post below.
Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
- Downloading and executing of arbitrary files
- Contacting remote hosts
- Disabling of integrated Windows security features
Features: p2p engine for botnet organization.
ZeroAccess timeline, thanks to rin.
- Summer 2009
Intiial first rootkit version found ITW. Initially known as "win32k router" rootkit. Reparse points used for "kill av" purposes, actually kills everything what is trying to touch rootkit data.
See MMPC encyclopedia entry (updated in 2011)
Trojan:Win32/Sirefef.A
Virus Bulletin: A journey into the Sirefef packer: a research case study
Article at Virus Bulletin - July - August 2009
Firstly mentioned by a_d_13 at sysinternals and DiabloNova (EP_X0FF) at rootkit.com, rootkit gets it name MaxPlus from name of device it used "\Device\__max++>". - End of 2009
Russian ransomware Digitala/GetAccelerator equipped with Sirefef.A found in the wild. Original TDL3 based malware with z00clicker dll found in the wild. - Beginning of 2010
Second rootkit version arrived. Reimplemented in many ways. Sirefef already established botnet. Actual name "ZeroAccess" retrieved from pdb string found inside driver body.
Reverse-engineered by Giuseppe Bonfa aka Evilcry
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit - May 2011
Sirefef got x64 backdoor and big update for B version with new way of storing payload at disk and kill av module as separate driver, meaning it is in beta stage.
z00clicker now used by Sirefef and updated to V2
See Kaspersky blogpost about x64 backdoor
MAX++ sets its sights on x64 platforms
Sirefef "Kill AV" feature initially posted here
Prevx blogpost describing the same stuff
ZeroAccess Rootkit Guards Itself with a Tripwire
Prevx blogpost describing new way of storing payload
ZeroAccess Gets Another Update - Later 2011 Summer
Sirefef have incorporated killav plugin in main driver. In the wild found ZeroAccess plugin targetting TDL4 and TDL3 clones. Later the same year they removed from driver killav feature.
Prevx found TDL4 killing plugin, mislabeled it as TDL3
TDL3 and ZeroAccess: More of the Same?
AVG blogpost about ZeroAccess dropper
ZeroAccess’s trick - A wolf in sheep’s clothing - End of 2011
ZeroAccess start using Adobe FlashPlayer dll spoofing during installation.
Blogpost from McAfee
ZeroAccess Rootkit Launched by Signed Installers
Kindsight article about ZeroAccess, describing P2P protocol V1 (pdf)
Botnet: ZeroAccess/Sirefef - March 2012
Symantec writeup about ZeroAccess (pdf)
Trojan.ZeroAccess Infection Analysis
Sophos writeup about ZeroAccess (pdf)
ZeroAccess - May - Summer 2012
Sirefef did major shift in distribution strategy removed rootkit as primary component and pushing few new variants described here on this forum in topic ZeroAccess (alias MaxPlus, Sirefef), p2p protocol updated to V2, z00clicker now V3.
Sophos writeup about new user mode backdoor
Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode - September 2012
Sophos writeup about ZeroAccess (pdf), partially describing P2P protocol V2 <- one of the best available articles about ZeroAccess
The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain - February 2013
Win32/Sirefef detection and removal is now included in MSRT.
MSRT February 2013 – Sirefef
See this post for more details and removal guide.
****************************************************************************************
Original post below.
Infects (replaces) system drivers.
Injects dll into address space of some trusted processes. Actively counteracts detection (stealing driver objects of disk.sys
and pci.sys) and removal. Driver install ImageLoad notification and performing IRP hooking for disk storage driver (disk.sys).
Payload dll performing a lot of modifications in user mode (splicing).
Previous generation of this rootkit was acting like file system redirector, killing detection software when it is trying to access
rootkit data.
VirusTotal
http://www.virustotal.com/analisis/d224 ... 1268574110
MD5
d8f6566c5f9caa795204a40b3aaaafa2
SHA1
d0b7cd496387883b265d649e811641f743502c41
Attachments
no pass
(1.54 MiB) Downloaded 130 times
(1.54 MiB) Downloaded 130 times
no pass
(1.22 MiB) Downloaded 89 times
(1.22 MiB) Downloaded 89 times
no pass
(2.54 MiB) Downloaded 88 times
(2.54 MiB) Downloaded 88 times
no pass
(968.57 KiB) Downloaded 100 times
(968.57 KiB) Downloaded 100 times
2010 year dropper, pass: malware
(57.63 KiB) Downloaded 614 times
(57.63 KiB) Downloaded 614 times
Ring0 - the source of inspiration