A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #6865  by EP_X0FF
 Sat Jun 18, 2011 11:54 pm
hnpl2011 wrote:I'm looking for sample with MD5:adf1ddd89d424e8d0e275cc42747ec81
anyone have it, please post it here
thank,
ZeroAccess x64
Attachments
malware
(15.58 KiB) Downloaded 72 times
 #6902  by PX5
 Wed Jun 22, 2011 7:30 am
x64 compatiable?

Thanks for the heads up Frank! :)
Attachments
pass: malware
(66.17 KiB) Downloaded 90 times
Last edited by EP_X0FF on Wed Jun 22, 2011 11:59 am, edited 2 times in total. Reason: sample reupload with password
 #6903  by EP_X0FF
 Wed Jun 22, 2011 11:59 am
PX5 wrote:x64 compatiable?
Yes. Thanks, archive uploaded with password.

Payload dll was posted earlier here
 #6910  by SecConnex
 Thu Jun 23, 2011 1:45 am
I wouldn't mind taking another look. I don't have a sample anymore, but I loved getting a shot at this with CF.

Looks like it might be fun over here: http://www.bleepingcomputer.com/forums/topic403565.html :)

I'm sure, even if ZeroAccess converted itself to x64, CF should still find at least the bulk of the surprise.

Its new version is not very different from the x86 version...it is a user mode malware uniquely designed to replicate classic iterations. For one...the dropper is no longer a rootkit...two, its components are files and stored in $windir\assembly...three, Autorun on x64 systems is done in this key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems...four, the body of the dropper is located (usually) is in the %system% folder...five, all of the dropper downloads following its original install are designed for x64 platforms, whereby NOT being rootkit related.

However, a word of warning when it decides to be installed by TDL4...it will be protected, and TDL will need removed first, and then ZeroAccess removed quickly.

It's a fun malware to play with, too. :)

Couple of still active samples:

http://www.virustotal.com/file-scan/rep ... 1308713817
http://www.virustotal.com/file-scan/rep ... 1308737882
http://www.virustotal.com/file-scan/rep ... 1308732761
 #6917  by D-FRED-BROWN
 Thu Jun 23, 2011 5:28 pm
However, a word of warning when it decides to be installed by TDL4...it will be protected, and TDL will need removed first, and then ZeroAccess removed quickly.
I've found that's not necessarily true...
 #6921  by EP_X0FF
 Fri Jun 24, 2011 2:38 am
TDL3/3+ can't protect or hide files that are not on it's own VFS. Impossible by rootkit and Windows design.
 #6974  by EP_X0FF
 Wed Jun 29, 2011 7:00 am
Some fresh ZeroAccess for collection.

This dropper is cross-platform. It contains both x86 and x64 malware versions.

In attach dropper, some decrypted stuff, driver-loader, infected driver and rootkit hidden volume dump.

Also notice special svchost process with \\.\globalroot\Device\svchost.exe\svchost.exe path, fake, real points to \Device\Svchost.exe special device created by second rootkit driver (disk access to it results in program termination and file execution block). Some sort of active antidetection trick used long time before in original MaxPlus backdoor.

This time it kills some security permissions for file. This can be reverted back through File->Security page.
Code: Select all
 if (NT_SUCCCESS( ZwOpenFile(&Handle, 0x40000u, &ObjectAttributes, &IoStatusBlock, 7u, 0) )) 
{
          ZwSetSecurityObject(Handle, 4u, &SecurityDescriptor);
          ZwClose(Handle);
 }
Attachments
pass: malware
(287.63 KiB) Downloaded 145 times
 #7163  by Brookit
 Sat Jul 09, 2011 9:57 am
Interesting blog post about the new ZeroAccess variant:

http://blog.webroot.com/2011/07/08/zero ... -tripwire/

Beside most facts EP_X0FF already mentioned, it contains an interesting discovery:
Interestingly enough, it also looks like the rootkit has a backdoor: If you run a file with a specific timestamp, PE checksum, and MajorOperatingSystemVersion and MinorOperatingSystemVersion properties, the rootkit will ignore the file. Such functionality could allow the rootkit’s creator to, for instance, run a custom tool that removes all trace of the rootkit code, which the rootkit itself will ignore.
:D
  • 1
  • 6
  • 7
  • 8
  • 9
  • 10
  • 38