A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27860  by R136a1
 Fri Feb 12, 2016 11:02 am
In this article, I will discuss various tools that I have found during the past few months and which I believe are from the same author as the ZeroAccess malware. It is also possible that the source code of the bot was sold after the “takedown” in 2013 and someone is now trying to make profit from it. This would at least make sense if we consider the behavior of the latest version of the ZeroAccess botnet (v3) which looks like it was only setup for testing purposes.

The collected samples are mostly test tools and could but be attributed due to some unique coding characteristics of ZeroAccess author. At first, the author _heavily_ relies on native system functions instead of high-level API functions in their user mode applications. Secondly, the author only uses Zw* function prefix and never the Nt* prefix. The combination of these two characteristics alone dramatically narrows down possible candidates in sample databases nowadays. Moreover, some of the tools make use of shellcode and the author has a unique technique to resolve string addresses. Additionally, we have found some samples with PDB path strings and other strings which overlap between the tools. Finally, many of the tools which contain other embedded files are stored always inside RCDATA section.

Thanks to EP_X0FF for help on the technical part.


UAC demo tool
In October last year, I stumbled across a small tool which obviously was created to advertise an UAC bypass method. At first glance, the method looked similar to the one used by H1N1 loader released at the beginning of 2015. Also, the compilation timestamp dated 20. August 2015 which indicated the tool was maybe created by the author of H1N1 loader. But after a closer look at the code it turned out it’s not exactly the same technique.
After the discovery of the new ZeroAccess botnet (v3) at the beginning of this year, also a sample of this bot was found which dated back to December 2014. After analyzing the sample, we can say for sure that the UAC demo tool is based on the ZeroAccess source code or was coded by its author. The code and the payload dll are identical, only the compilation timestamp of the payload differs.

ImageImageImage
Image

But for whom was this demo tool created? Was it sold in an underground forum or shared in private? A few days ago, I have found a variant of Cryptodefense which dates back to 26. October 2015 according to the compilation timestamp. This sample uses the exact same method advertised in the demo tool, even the payload dll has the same compilation timestamp. Although, it is possible that the creator of the demo tool itself is the person behind this Cryptodefense variant, it seems very unlikely. The code of this Cryptodefense malware is different and by far not as advanced as any of the ZeroAccess tools.

UAC demo tool: https://www.virustotal.com/en/file/1597 ... /analysis/
Cryptodefense variant: https://www.virustotal.com/en/file/3c36 ... /analysis/


Custom LPE exploit (CVE-2015-1701)
This a test tool which exploits a vulnerability in win32k.sys kernel driver known as CVE-2015-1701 to gain system privileges. Probably, the author was inspired by the reverse engineered open source code from EP_X0FF. We can see the typical ZeroAccess way to alter the execution flow by registering an vectored exception handler and setting a hardware breakpoint on a specific function. When this function is then called, the exception handler jumps in and continues the execution. In the case of this exploit a hardware breakpoint is set on KiUserExceptionDispatcher which afterwards is internally called by CreateWindowEx function.

Image
ImageImage
Image

What is also important in association with the other tools is the PDB path left in the executable:
“d:\ZZZ\release\ui.pdb”

Custom LPE exploit (CVE-2015-1701): https://www.virustotal.com/en/file/1f8c ... /analysis/


ZeroAccess test dropper
This is an early version of the encrypted PNG dropper used to spread ZeroAccess v3. The difference between this early and the final version of the dropper is that it does not use XOR encryption and the file inside is only a test dll that poses as legit Windows file mshtmlmedia.dll. The test dll uses the same method as the final ZeroAccess v3 malware to load itself as legit Windows file comres.dll and calls its entry point.

Image

What is also important in association with the other tools is the PDB path left in the test dll:
“d:\ZZZ\release\mshtmlmedia.pdb”

ZeroAccess test dropper: https://www.virustotal.com/en/file/9e98 ... c4fd23a04/


Injection test tool
This is a cross-platform (x86/x64) injection test tool realized as an x86 executable. It has two dlls stored inside the RCDATA section, one for each platform. The respective dll gets injected into the notepad.exe process which has to be started before. The injection of the x64 dll from the x86 process on a x64 Windows (Wow64) is done via the so called Heaven’s Gate. The injection process is done via obfuscated API calls that map the sections manually into the target and then doing the loader job. This type of injection is one of the more stealthy variants, since the injected dll does not appear in the loaded library lists.

ImageImage

Injection test tool: https://www.virustotal.com/en/file/9f36 ... a328779da/


Password encrypted file
This is kind of a self-extracting executable which contains the encrypted content inside the PE resource section, but without any compression. After the executable gets started a dialog box appears and a password has to be entered. Internally, a MD5 hash of the password is created which then gets used as the decryption key for the stream cipher known as Rabbit. Unfortunately, what is inside the file remains unknown, unless you know the correct password.

Image

What is also important in association with the other tools are two Unicode strings inside the binary:
“This 32-bit app can not run on 64-bit Windows”
“Use 64-bit version!”

Password encrypted file: https://www.virustotal.com/en/file/c061 ... bb4f06e5c/


Dll list tool
This is a non-malicious tool with the purpose to list all processes along with their loaded dlls. I have found two samples of which one is self-signed with the name “max black”. Again, we can see the heavy use of native system functions with Zw* prefix and similar coding style as ZeroAccess malware.

Image

What is also important in association with the other tools are two Unicode strings inside the binary:
“32-bit DllList can not run on 64-bit Windows”
“Use 64-bit version!”

Dll list tools: https://www.virustotal.com/en/file/7d3f ... 390315db1/
https://www.virustotal.com/en/file/d377 ... bb269e9a7/

That’s it! If you think you have found any other tools by this author, do not hesitate to post the file. Also, if you want to help us to find the password of the encrypted file, you are encouraged to do so. :)
Attachments
PW: infected
(158.42 KiB) Downloaded 131 times
PW: infected
(1.24 MiB) Downloaded 117 times
 #27861  by MalwareTech
 Fri Feb 12, 2016 11:08 am
Great work as usual R136a1!

I'd been told by someone in the past that ZA3 was sold after the takedown, but didn't believe him at the time, certainly is looking that way though.
 #27900  by R136a1
 Fri Feb 19, 2016 11:13 am
Hi folks,

thanks to the suggestion from EP_X0FF to search for the driver of the dll list tool (see above), I have found some new interesting information. Unfortunately, I have not found the the driver, but instead a new tool and some information about the ZeroAccess author itself. :)


BONUS-TV Player
This is a cross-platform (x86/x64) application which was obviously developed for the company Bonus-TV (http://bonus-tv.tv/) to stream TV channels over VLC media player.

Image

I have found it due to the GUID string "{F6F6D0EA-79A4-4992-9C30-293A85B6A61C}" which is also present in the dll list tool. Again, we can see the use of many native system functions with Zw* prefix, but most importantly this tool lead to the following information about the author...


ZeroAccess author
After a quick search on the Internet for certain strings from the BONUS-TV Player application, I have found some info about its author and thus of the ZeroAccess author. As you can see in the screenshots below, he is from Ukraine and located in the city of Odessa, if the data is correct.

ImageImage

We can see, this person is the author of the Bonus-TV player. Further, in the descriptions there are many coincidences with the ZeroAcccess malware and the tools described here. This person uses the alias "Max Black" in one of his résumés which can be also found in the self-signed dll list tool and also if you think about the earlier ZeroAccess versions (Max++). Also the given experience and skill level perfectly matches the coding style of ZeroAccess and the tools. Further, he listed a project called "virtual usb flash (crypto(rabbit based) disk)" which is likely related to the password encrypted file described above.

The only personal (public) information which is left in the cached version of Google is the Skype alias "maksimsamuistov". This could be interesting anyway, since the Microsoft owns Skype and the Microsoft Digital Crimes Unit filed a lawsuit against the ZeroAccess backers.

That's all.
Attachments
PW: infected
(162.19 KiB) Downloaded 65 times
PW: infected
(556.11 KiB) Downloaded 66 times
 #27901  by EP_X0FF
 Fri Feb 19, 2016 11:23 am
He constantly use the same subset of network routines in his projects, routines for working with AVL tree table and registry, etc. Very big amount of ZeroAccess shared code. Yet again - when you coded malware soo long - every your next app will look like your own malware from past :)