A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #3467  by EP_X0FF
 Sat Nov 13, 2010 10:47 am
It will be very interesting to read next parts, for me especially part 4 :)
Excellent work.
 #3514  by nullptr
 Tue Nov 16, 2010 1:01 pm
Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit

All 4 parts now available from previous link. Thanks Evilcry :)
 #3544  by ConanTheLibrarian
 Wed Nov 17, 2010 2:55 pm
Problem I am having with the article, although very professional, thorough and well-done, it seems to be analysing an incarnation of ZAccess/Sirefef that is extremely old in terms of malware. The sample dropper it examines is from the first quarter of this year - I have not seen this incarnation for a long time. There is a newer version of this that I posted (cdrom.sys) http://www.kernelmode.info/forum/viewto ... t=23#p3257 that is much newer and much harder to remove.

Reading through the article I hope to still gain a deeper understanding that will help me with the more modern versions of ZAccess.

Thanks EvilCry!
 #3548  by Meriadoc
 Wed Nov 17, 2010 5:46 pm
Great all 4 parts. Excellent reversing and analysis. Thanks Evilcry :)
 #3835  by frank_boldewin
 Sat Dec 04, 2010 10:41 am
hi all,

i've just analyzed a sample of this malware. find attached, the original dropper, the unpacked dropper, as well as the decrypted usermode payload and decrypted driver itself.

pw: infected

have fun!

cheers,
frank

PS @evilcry: lately read your paper on zeroaccess. very nice work!
Attachments
(152 KiB) Downloaded 150 times
 #3912  by EP_X0FF
 Fri Dec 10, 2010 4:37 pm
Yes, I have the same behavior. Stuff extremely buggy.

edit:

How about this one?

http://www.virustotal.com/file-scan/rep ... 1292002640
Attachments
pass: malware
(105.07 KiB) Downloaded 99 times
Last edited by EP_X0FF on Fri Dec 10, 2010 5:43 pm, edited 1 time in total. Reason: edit
 #3935  by kiskav
 Sat Dec 11, 2010 3:19 pm
EP_X0FF wrote:Yes, I have the same behavior. Stuff extremely buggy.

edit:

How about this one?

http://www.virustotal.com/file-scan/rep ... 1292002640
The Vbma***.sys file which is dropped by this Dropper looks very stubborn to remove.. I can see many Forum Moderators Tremble with this Rootkit. TDSSKILLER just report this as Locked Services & fails to delete. Combofix fails as well. Its been said that , post uninstalling [cmz vmkd] Virtual Bus, Combo will fix this..Avenger says that, it has deleted the Driver & the .sys file, but its getting recreated as soon as the pc restarts with Avenger script.

Anyone has any easy fix to remove this ?? If so, pls share the same.

Thanks in Advance :)
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 38