[EP_X0FF]

I'm looking for sample with MD5:adf1ddd89d424e8d0e275cc42747ec81
anyone have it, please post it here
thank,

ZeroAccess x64

[PX5]

x64 compatiable?

Thanks for the heads up Frank! :)

[EP_X0FF]

x64 compatiable?

Yes. Thanks, archive uploaded with password.

Payload dll was posted earlier here

[D-FRED-BROWN]

Hello,
I'm looking for the latest Max++/ZeroAccess sample
Any help would be appreciated

Cheers,
-DFB

[SecConnex]

I wouldn't mind taking another look. I don't have a sample anymore, but I loved getting a shot at this with CF.

Looks like it might be fun over here: http://www.bleepingcomputer.com/forums/topic403565.html :)

I'm sure, even if ZeroAccess converted itself to x64, CF should still find at least the bulk of the surprise.

Its new version is not very different from the x86 version...it is a user mode malware uniquely designed to replicate classic iterations. For one...the dropper is no longer a rootkit...two, its components are files and stored in $windir\assembly...three, Autorun on x64 systems is done in this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems...four, the body of the dropper is located (usually) is in the %system% folder...five, all of the dropper downloads following its original install are designed for x64 platforms, whereby NOT being rootkit related.

However, a word of warning when it decides to be installed by TDL4...it will be protected, and TDL will need removed first, and then ZeroAccess removed quickly.

It's a fun malware to play with, too. :)

Couple of still active samples:

http://www.virustotal.com/file-scan/rep ... 1308713817
http://www.virustotal.com/file-scan/rep ... 1308737882
http://www.virustotal.com/file-scan/rep ... 1308732761

[D-FRED-BROWN]

However, a word of warning when it decides to be installed by TDL4...it will be protected, and TDL will need removed first, and then ZeroAccess removed quickly.

I've found that's not necessarily true...

[EP_X0FF]

TDL3/3+ can't protect or hide files that are not on it's own VFS. Impossible by rootkit and Windows design.

[EP_X0FF]

Some fresh ZeroAccess for collection.

This dropper is cross-platform. It contains both x86 and x64 malware versions.

In attach dropper, some decrypted stuff, driver-loader, infected driver and rootkit hidden volume dump.

Also notice special svchost process with \\.\globalroot\Device\svchost.exe\svchost.exe path, fake, real points to \Device\Svchost.exe special device created by second rootkit driver (disk access to it results in program termination and file execution block). Some sort of active antidetection trick used long time before in original MaxPlus backdoor.

This time it kills some security permissions for file. This can be reverted back through File->Security page.

Code: Select all

 if (NT_SUCCCESS( ZwOpenFile(&Handle, 0x40000u, &ObjectAttributes, &IoStatusBlock, 7u, 0) )) 
{
          ZwSetSecurityObject(Handle, 4u, &SecurityDescriptor);
          ZwClose(Handle);
 }

[D-FRED-BROWN]

Thanks for posting the new ones

[Brookit]

Interesting blog post about the new ZeroAccess variant:

http://blog.webroot.com/2011/07/08/zero ... -tripwire/

Beside most facts EP_X0FF already mentioned, it contains an interesting discovery:

Interestingly enough, it also looks like the rootkit has a backdoor: If you run a file with a specific timestamp, PE checksum, and MajorOperatingSystemVersion and MinorOperatingSystemVersion properties, the rootkit will ignore the file. Such functionality could allow the rootkit’s creator to, for instance, run a custom tool that removes all trace of the rootkit code, which the rootkit itself will ignore.

:D