A forum for reverse engineering, OS internals and malware analysis 

Ask your beginner questions here.
 #9717  by D_Harry
 Wed Nov 16, 2011 5:40 pm
Hey guys,

I need your expert advice...

In the last days I tried to infect Windows 7 x86 (Ultimate) and sometimes x64 (installed inside Oracle VM VirtualBox - 4.1.6) with ZeroAccess rootkit ... However, ZA completely failed to infect the system?

First I thought this is due to the latest Windows Updates (in combination with recent Windows-Defender definitions), since Win-Defender showed up warnings upon execution of the dropper PE (of course) - but even a freshly installed Windows 7 without any updates (e.g. without SP1) did not get infected by ZA - sometimes it crashes explorer.exe... ?

Up to now, only one dropper (from this month - denoted from Microsoft as TrojanDropper:Win32/Sirefef.J) showed a "response" in terms of restarting the OS, followed by BSOD and boot loop...

Some older droppers (June / July) which are even cross-platform (x86 & x64) successfully deleted the PE after execution, but also fails to inject.

Is it due to Oracle VM VirtualBox? Maybe I should try VMware Workstation (8.0) ? Or VMs in general ?

thanks and best regards
D_Harry
 #9720  by EP_X0FF
 Thu Nov 17, 2011 1:18 am
Try something like WinXP + VBox 4.x. It should work, if dropper has no antivm code. Or use real machine instead.
 #9749  by D_Harry
 Fri Nov 18, 2011 5:04 pm
Hi EP_X0FF,

thanks for your answer.
Today I used VMware Workstation 8.0 as virtual machine. Now, ZeroAccess was successfully installed into Windows XP and also Windows 7. It seems that the dropper can detect VirtualBox as Virtual-Machine ...

regards,
D_Harry