A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (aka MAX++)

 #9068  by Ladik
 Mon Oct 10, 2011 8:29 am
Another sample. Packer changed again. Also, this version no longer creates the \??\ACPI#PNP0303#2&da1a3ff&0 symlink, but it creates \??\%08X instead. The number in the format string is retrieved by XORing all four 32-bit values from the MD5 of Systemroot volume creation time. I don't have dropper for it, but it can be installed by running an old ZeroAccess dropper, and replacing infected driver in System32\drivers.
Attachments
Password: malware
(87.16 KiB) Downloaded 66 times

Re: Rootkit ZeroAccess (aka MAX++)

 #9084  by Xylitol
 Tue Oct 11, 2011 2:52 pm
Anal_Porn_Movie_162.mpeg.exe ~ 5/43 >> 11.6%
http://www.virustotal.com/file-scan/rep ... 1318344250

ipsec.sys ~ 1/43 >> 2.3%
http://www.virustotal.com/file-scan/rep ... 1318343379
Attachments
pw: infected
(335.48 KiB) Downloaded 64 times

Re: Rootkit ZeroAccess (aka MAX++)

 #9106  by EP_X0FF
 Wed Oct 12, 2011 12:59 pm
ZeroAccess sample + infected driver.

For "How To" identify ZeroAccess and do preliminary analysis refer to this Frank's post

Almost statically FUD

http://www.virustotal.com/file-scan/rep ... 1318422204
Attachments
pass: malware
(310.87 KiB) Downloaded 83 times

Re: Rootkit ZeroAccess (aka MAX++)

 #9131  by Ladik
 Fri Oct 14, 2011 9:34 am
New sample. No longer creates a bait service. Symbolic link and protected storage remain unchanged.
Attachments
password: malware
(155.82 KiB) Downloaded 78 times

Re: Rootkit ZeroAccess (aka MAX++)

 #9284  by Flopik
 Wed Oct 19, 2011 3:06 pm
Sample MD5 : 88753E004EF0A8A57D5632613CAC7EFA
They use ntfs ads in service process:

!process 81959B58 0
PROCESS 81959b58 SessionId: 0 Cid: 0314 Peb: 7ffd8000 ParentCid: 02a0
DirBase: 048003c0 ObjectTable: e13281e8 HandleCount: 5.
Image: 3972565216:527906579.exe

lkd> dt _FILE_OBJECT 0x819720e0
+0x030 FileName : _UNICODE_STRING "\WINDOWS\3972565216"

Im wondering why the VAD doesnt have the full name with ADS stream , the information seem only available in usermode from PEB:
lkd> !peb 0x7ffd8000
Base TimeStamp Module
400000 4e3e9782 Aug 07 09:47:46 2011 C:\WINDOWS\3972565216:527906579.exe <----
ImageFile: 'C:\WINDOWS\3972565216:527906579.exe' <------

Re: Rootkit ZeroAccess (aka MAX++)

 #9288  by EP_X0FF
 Wed Oct 19, 2011 4:04 pm
Flopik wrote:Im wondering why the VAD doesnt have the full name with ADS stream
and why it should?

Re: Rootkit ZeroAccess (aka MAX++)

 #9292  by EP_X0FF
 Wed Oct 19, 2011 4:42 pm
It is doing so many stuff in kernel mode, so it's not hidden at all. Check objects directory, check threads etc etc, ~one million ways. See 4 posts above for link to example.

Re: Rootkit ZeroAccess (aka MAX++)

 #9297  by Blaze
 Wed Oct 19, 2011 6:02 pm
EvilCry,

Is it possible you can post a copy of your Zaccess paper ? It appears the link has been removed.

thanks !
  • 1
  • 12
  • 13
  • 14
  • 15
  • 16
  • 38
 Return to “Malware”