Rootkit ZeroAccess (alias MaxPlus, Sirefef) - Page 5

Re: Rootkit ZeroAccess (aka MAX++)

#3938 by PX5
Sat Dec 11, 2010 6:02 pm

Find the protector dll, mine was dropped in a subfolder inside WinSxS, made to appear as a backup file or something since subfolder is named like all backup folders for Vista/7

Arrogance led me to my Ignorance

Username

PX5

Posts

144

Joined

Thu Apr 29, 2010 1:14 am

Re: Rootkit ZeroAccess (aka MAX++)

#3941 by ConanTheLibrarian
Sat Dec 11, 2010 10:03 pm

vbma*** is not ZeroAcces - it is KillAV.D.

Username

ConanTheLibrarian

Posts

56

Joined

Mon Mar 15, 2010 1:12 am

Location

USA

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#3967 by B-boy/StyLe/
Sun Dec 12, 2010 10:52 pm

windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Regards,
G. ;)

Attachments

KILLAV.zip

pass: infected
(55.43 KiB) Downloaded 85 times

Username

B-boy/StyLe/

Posts

51

Joined

Mon Mar 22, 2010 2:43 am

Re: Rootkit ZeroAccess (aka MAX++)

#5014 by EP_X0FF
Fri Feb 11, 2011 3:24 pm

Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.

Attachments

MaxRootkit_2011_1.rar

pass: malware
(32.49 KiB) Downloaded 141 times

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#5129 by digitalranger
Mon Feb 21, 2011 8:29 pm

EP_X0FF wrote:Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.

It can infect only XP kernel or Win 7 kernel too?

Username

digitalranger

Posts

1

Joined

Mon Feb 21, 2011 7:20 pm

Re: Rootkit ZeroAccess (aka MAX++)

#5143 by EP_X0FF
Wed Feb 23, 2011 9:52 am

It does not infect kernel it infect drivers. Start vm and try yourself.

Ring0 - the source of inspiration

Username

EP_X0FF

Rank

Global Moderator

Posts

4947

Joined

Sun Mar 07, 2010 5:35 am

Location

Russian Federation

Contact

Re: Rootkit ZeroAccess (aka MAX++)

#5215 by Flopik
Mon Feb 28, 2011 4:50 pm

That's a nice malware , hidden from the PsLoadedModuleList & Object directory

lkd> dt _DRIVER_OBJECT 812203B0
ntdll!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : (null)
+0x008 Flags : 4
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : 0x82261b70
+0x018 DriverExtension : 0x81220458 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\driver\2989018276"
+0x024 HardwareDatabase : (null)
+0x028 FastIoDispatch : 0xf89f6550 _FAST_IO_DISPATCH
+0x02c DriverInit : 0xb2106764 long <Unloaded_dFlr1nhs.SYS>+5764
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xf89f3e52 void +fffffffff89f3e52
+0x038 MajorFunction : [28] 0xf89f3dd9 long +fffffffff89f3dd9

lkd> dt _LDR_DATA_TABLE_ENTRY 0x82261b70
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82261b70 - 0x82261b70 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0xf89f2000
+0x01c EntryPoint : 0xf89f3ed8
+0x020 SizeOfImage : 0x7000
+0x024 FullDllName : _UNICODE_STRING ""
+0x02c BaseDllName : _UNICODE_STRING "80000002.sys"
+0x034 Flags : 0x1004000
+0x038 LoadCount : 1
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0xffffffff - 0x7aff ]
+0x03c SectionPointer : 0xffffffff
+0x040 CheckSum : 0x7aff
+0x044 TimeDateStamp : 0xfffffffe
+0x044 LoadedImports : 0xfffffffe
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : 0x00300038

B-boy/StyLe/ wrote:
windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Regards,
G. ;)