A forum for reverse engineering, OS internals and malware analysis 

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (aka MAX++)

 #2328  by int0
 Thu Aug 26, 2010 7:54 am
Previous variants(first) were able to remove calling its DriverUnload routine.

Re: Rootkit ZeroAccess (aka MAX++)

 #3259  by PX5
 Sat Oct 30, 2010 12:44 am
Thats where this one belongs. :)

http://www.kernelmode.info/forum/viewto ... t=30#p3227

SIrefef is another commonly used name for this as well.

Was playing with it on Vista today to see how well it meshed, unfortunatly that machine no longer boots normal. :(

Almost every Antivirus2010 Ive run into will install this.

The reason in the increased visibility is that Baka loaders started dishing it out last week, early.

Re: Rootkit ZeroAccess (aka MAX++)

 #3279  by Evilcry
 Mon Nov 01, 2010 6:48 am
Soon will be out my paper on ZeroAccess.

It's pretty interesting to see that network activity of this rootkit is directed to
IPs that belongs to ISP and Hosting company Ecatel Network strictly linked
with RBN.

ZeroAccess is a well written rootkit, that produces two drivers, one for hiding
( Disk.sys, Atapi, Pci) and another that run PsSetLoadImageNotifyRoutine, used
to infect via APC and ZwAllocateVirtualMemory.

Infection is extremely resistant because via fmifs.dll which stands for Format Manager
for Installable File Systems ; by using FormatEx() you will have the following
\\?\C2CAD972#4079#4fd3#A68D#AD34CC121074
where will be placed all malicious files.

Re: Rootkit ZeroAccess (aka MAX++)

 #3455  by STRELiTZIA
 Fri Nov 12, 2010 6:34 pm
Hi GM,
GamingMasteR wrote:Any recent samples of this rootkit ?
Sample in first post always crashes before infection completes ...
Retested on Win XP SP3 VMWare... Infection completed without crash.

Regards.

KDetective capture:
Attachments
001.GIF
001.GIF (23.26 KiB) Viewed 707 times
  • 1
  • 2
  • 3
  • 4
  • 5
  • 38
 Return to “Malware”