A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #7183  by rkhunter
 Sun Jul 10, 2011 1:48 pm
Brookit wrote:Interesting blog post about the new ZeroAccess variant:

http://blog.webroot.com/2011/07/08/zero ... -tripwire/

Beside most facts EP_X0FF already mentioned, it contains an interesting discovery:
Interestingly enough, it also looks like the rootkit has a backdoor: If you run a file with a specific timestamp, PE checksum, and MajorOperatingSystemVersion and MinorOperatingSystemVersion properties, the rootkit will ignore the file. Such functionality could allow the rootkit’s creator to, for instance, run a custom tool that removes all trace of the rootkit code, which the rootkit itself will ignore.
:D
Yea, good article! And this things very interesting.

The most interesting development is ZeroAccess’ use of another, second rootkit driver (as described above) as a weapon to kill, without mercy, every kind of security software. Not only does the security scanner call its own ExitProcess(), but after the software has been killed, the rootkit ratchets up the nuisance level to 11: It resets the ACL setting of the process’s file, rendering the file unusable unless the user manually sets back the correct ACL.

Why this fake process is able to terminate most security software? Because every security software runs a process scan as part of a full system scan. By scanning the process list, the security software trips over the fake process and it gets killed – both the process and the file’s ACL settings. The security software is effectively gone.
 #7184  by kmd
 Sun Jul 10, 2011 1:59 pm
for me i note one strange thing

when every new rk discovered and posted the next few days this guy from Prevx drops article about it making an pr for his company.

maybe instead of lurking here mister Giuliani will finally register?
 #7185  by EP_X0FF
 Sun Jul 10, 2011 2:27 pm
kmd wrote:for me i note one strange thing

when every new rk discovered and posted the next few days this guy from Prevx drops article about it making an pr for his company.

maybe instead of lurking here mister Giuliani will finally register?

Well with his usual cosplay in Captain Obvious / Pioneer and other marketing BS, this time he added some details about other rootkit features. There are no so many papers about ZeroAccess at public. Eraser lurking here? Hmm, nobody cares. Prevx? Always wondering WTF is that? Some sort of drug?
 #7204  by erikloman
 Mon Jul 11, 2011 10:10 am
From the PDF:
... the rootkit driver allocates inside the target process 165 bytes of memory and injects there its malicious payload. Then, the code is executed by scheduling an APC. When executed from inside the target process space, the malicious payload walks the module list, looking for kernel32.dll. Then, it parses the export table and looks for the ExitProcess() Win32 API. When found, the payload calls the exit process function. By doing so, the rootkit forces the target process from killing itself ...
What is worth noting is that the malicious payload also corrupts the stack. So blocking the ExitProcess() has no point: the stack is corrupt and your process ends with an Access Violation. Nice way to kill of an AV. It might as well not do the ExitProcess at all and just jump straight to address 0x0 from the APC :?
 #7391  by Flopik
 Mon Jul 18, 2011 7:02 pm
Is there a way to make a valid path for CreateFile with \Device\svchost.exe \svchost.exe ?
Maybe I need to add the SymbolicLink
 #7401  by EP_X0FF
 Tue Jul 19, 2011 6:22 am
Flopik wrote:Is there a way to make a valid path for CreateFile with \Device\svchost.exe \svchost.exe ?
Maybe I need to add the SymbolicLink

NtCreateFile/DefineDosDevice
 #7424  by PX5
 Tue Jul 19, 2011 8:21 pm
Loader plus dropped files.

Some more interesting changes I think?

Dropper
http://www.virustotal.com/file-scan/rep ... 1311072754

Driver
http://www.virustotal.com/file-scan/rep ... 1311086170

Dumped-Module
http://www.virustotal.com/file-scan/rep ... 1311106155

Desktop.ini
http://www.virustotal.com/file-scan/rep ... 1311078309

c_79610.nls is encrypted I believe, not really sure what its purpose is.

Is interesting to do string search for c_12345.nls, seems it will inject whatever the nls file refers to into legit running services like windows update and other 3rd party software, which Im sure trashs these files and programs.


When fully active, seems to have some more kill routines, not limited to just AVs.
Attachments
(228.73 KiB) Downloaded 115 times
 #7430  by EP_X0FF
 Wed Jul 20, 2011 4:01 am
Overall it is 6 in 1. x86-x64 components in place, driver-killer in place.

I didn't remember if this was in last sample
Tell that bitch to be cool! Say 'bitch be cool'!
<- authors loves Pulp Fiction.

for some unknown reason this incredible rootkit completely died after reboot leaving only driver-killer.

+ they made some little improvements, for some of them we can say thank you to mister Eraser :)
 #7435  by erikloman
 Wed Jul 20, 2011 9:15 am
EP_X0FF wrote:Overall it is 6 in 1. x86-x64 components in place, driver-killer in place.

I didn't remember if this was in last sample
Tell that bitch to be cool! Say 'bitch be cool'!
<- authors loves Pulp Fiction.

for some unknown reason this incredible rootkit completely died after reboot leaving only driver-killer.

+ they made some little improvements, for some of them we can say thank you to mister Eraser :)
I don't think the paper solely contributed to the recent changes in ZeroAccess. Most recent changes are near impossible to make in a few days (since Eraser released his paper). I guess ZeroAccess authors had these in their pipeline for quite some time.

In general, as soon as the authors of rootkits see their creature being slayed then they come up with new weaponry and defenses. A good example is the evolution of TDL3 into TDL4. These guys keep tinkering until its perfect. Its software, its never done :)

I think Eraser's papers and THIS forum are both an invaluable asset to the malware research industry!
  • 1
  • 7
  • 8
  • 9
  • 10
  • 11
  • 38