It will be very interesting to read next parts, for me especially part 4 :)
Excellent work.
Excellent work.
Ring0 - the source of inspiration
A forum for reverse engineering, OS internals and malware analysis
Thank you EP_X0FF, part 4 essentially deals with involved website and Ecatel ISP :)
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit
All 4 parts now available from previous link. Thanks Evilcry :)
All 4 parts now available from previous link. Thanks Evilcry :)
Problem I am having with the article, although very professional, thorough and well-done, it seems to be analysing an incarnation of ZAccess/Sirefef that is extremely old in terms of malware. The sample dropper it examines is from the first quarter of this year - I have not seen this incarnation for a long time. There is a newer version of this that I posted (cdrom.sys) http://www.kernelmode.info/forum/viewto ... t=23#p3257 that is much newer and much harder to remove.
Reading through the article I hope to still gain a deeper understanding that will help me with the more modern versions of ZAccess.
Thanks EvilCry!
Reading through the article I hope to still gain a deeper understanding that will help me with the more modern versions of ZAccess.
Thanks EvilCry!
Great all 4 parts. Excellent reversing and analysis. Thanks Evilcry :)
Who controls the past controls the future
Who controls the present controls the past
Who controls the present controls the past
hi all,
i've just analyzed a sample of this malware. find attached, the original dropper, the unpacked dropper, as well as the decrypted usermode payload and decrypted driver itself.
pw: infected
have fun!
cheers,
frank
PS @evilcry: lately read your paper on zeroaccess. very nice work!
i've just analyzed a sample of this malware. find attached, the original dropper, the unpacked dropper, as well as the decrypted usermode payload and decrypted driver itself.
pw: infected
have fun!
cheers,
frank
PS @evilcry: lately read your paper on zeroaccess. very nice work!
Attachments
(152 KiB) Downloaded 150 times
Crashes on reboot on the driver it infects. Both x86 XP SP3 and x86 Vista SP2. Vbox
Yes, I have the same behavior. Stuff extremely buggy.
edit:
How about this one?
http://www.virustotal.com/file-scan/rep ... 1292002640
edit:
How about this one?
http://www.virustotal.com/file-scan/rep ... 1292002640
Attachments
pass: malware
(105.07 KiB) Downloaded 100 times
(105.07 KiB) Downloaded 100 times
Last edited by EP_X0FF on Fri Dec 10, 2010 5:43 pm, edited 1 time in total.
Reason: edit
Ring0 - the source of inspiration
EP_X0FF wrote:Yes, I have the same behavior. Stuff extremely buggy.The Vbma***.sys file which is dropped by this Dropper looks very stubborn to remove.. I can see many Forum Moderators Tremble with this Rootkit. TDSSKILLER just report this as Locked Services & fails to delete. Combofix fails as well. Its been said that , post uninstalling [cmz vmkd] Virtual Bus, Combo will fix this..Avenger says that, it has deleted the Driver & the .sys file, but its getting recreated as soon as the pc restarts with Avenger script.
edit:
How about this one?
http://www.virustotal.com/file-scan/rep ... 1292002640
Anyone has any easy fix to remove this ?? If so, pls share the same.
Thanks in Advance :)
