Warning: "anykey", "download-every-security-shit-and-run-on-my-pc" lovers may skip this post as it requires brain.sys, hands.dll up to date. This thread is strictly moderated so AV fanboys will be banned immediately and at forever.
February 2013, Win32/Sirefef family detection/removal now included into MRT package, including removal of notorious rootkit component, and delivered as part of Windows Update.
Win32/Sirefef is not so
Zero Access as it pretend to be. In fact it is another lolkit well PR'ed by AV companies. It is known to be very aggressive and attractive on victim computers. It has been evolving all recent years, moving from major version A to B (considering old 2009 win32k router rootkit as ZeroAccess beta), periodically updating driver obfuscator, delivering aggressive self-protection modules (trap processes/keys for scanners - also known as "apk v eblo" in the narrow circle), multicomponent plugins etc. During switching versions from A to B they seems also changed developers team to that who previously worked with TDL3 or improved their coding skills. Win32/Sirefef uses different approaches for self-hiding, like splicing on IRP handlers, adding new device (TDL style) for filtering I/O requests, using NTFS container, reparse points etc etc, it is very creative. It also have x64 backdoor (without lolkit), x86-x64 pure user mode trojan with 4 different configurations - 1 known as "CLSID ZeroAccess", system file patcher (TLS+NTFS EA), system file patcher 2 (Deep inline + NTFS EA), "CLSID ZeroAccess" + autorunner. Probably the main idea of ZeroAccess rootkit developers was "make it harder to remove no matter what it will cost". Well, this is main problem of this lolkit. Due to such aggressive position, it is completely not stealth.
Short overview of MRT vs ZeroAccess, 100% success is not guaranteed as always.
As test example take last rootkit from this thread. ZeroAccess has not changed dramatically since this time. Test platform - Windows XP SP3 32 bit.
When possible MRT will find and deactivate all ZeroAccess rootkit variants by disinfecting driver file. Here is a step by step removal using only MRT and built-in Windows tools.
1. Installing rootkit (as we are doing technical demo). While installation process Sirefef infects legitimate Windows driver and forces it to be loaded with "asterisk" trick. In this case it was "afd.sys"
https://www.virustotal.com/ru/file/970f ... 360817886/
Infected driver verified by DrvMon (not a part of Windows, used only for demonstration).
Dir command reveals where exactly Sirefef installed
rku 5 (used only for demonstration)
==============================================
>Drivers
==============================================
!-->[Hidden Driver] 0xF4933000 .afd, size: 102400 bytes
0x81BDE7A9 unknown_irp_handler, size: 2135 bytes
==============================================
>Stealth
==============================================
0x81E09F18 Suspicious device \GLOBAL??\0b765132
WARNING: Virus alike driver modification [afd.sys], size: 138112 bytes
"Very stealth" yeah.
Inside this wonderful directory all the Sirefef components, including plugins and configuration data.
(screenshot taken after MRT disinfection, see next)
2. Downloading MRT
http://www.microsoft.com/en-us/download ... aspx?id=16
3. Running full system scan with MRT.
It reveals active Sirefef components. Reboot is required to complete removal.
After reboot rootkit will be removed and all is left -> cleanup trash from Windows folder. The binary data inside this folder is no longer a threat as it encrypted and cannot be executed without active ZeroAccess. This directory still cannot be accessed because of reparse-point Sirefef installed. Rootkit also may trash security attributes for this directory, so lets gain full access to it first.
Remove "All" ("Everyone" etc) user from security attributes list and set it back.
cacls c:\windows\$NtUninstallKB23108$ /e /c /r All
cacls c:\windows\$NtUninstallKB23108$ /e /c /g All:F
Note1: for Vista+ use icacls
Note2: NtUninstallKB23108 is Sirefef directory where digits can be random value. How to find which directory is ZeroAccess see above.
Now it is time for "fsutil" tool.
Let's query reparse point to check if security attributes now OK to continue.
fsutil reparsepoint query c:\windows\$NtUninstallKB23108$
Accessible OK. Remove reparse point.
fsutil reparsepoint delete c:\windows\$NtUninstallKB23108$
After reparse point removed you can access this directory from Windows Explorer, explore it contents and finally delete this trash, Shift-Del.
Done with no 3rd party bsod-generators involved.
Waiting for something more interesting from Win32/Sirefef in future.
