WSA beta and zeroaccess rootkit

[Victek123]

I've been hearing a lot recently about the zeroaccess rootkit and it's ability to disable security software in real-time. Has anyone tested WSA against zeroacces? Can it effectively prevent the rootkit from installing or remove it after the fact?

[overangry]

Quote:

Originally Posted by Victek123

I've been hearing a lot recently about the zeroaccess rootkit and it's ability to disable security software in real-time. Has anyone tested WSA against zeroacces? Can it effectively prevent the rootkit from installing or remove it after the fact?

No, it does no better than the other AV's.
Only today, WSA was crippled by Zero Access in my VM.
Once infected, you're history. It doesn't remove it after the fact.

[hawki]

http://blog.webroot.com/2011/08/03/n...ccess-goodbye/

[overangry]

Quote:

Originally Posted by hawki

http://blog.webroot.com/2011/08/03/n...ccess-goodbye/

Good to see.
Only question I would have is how to use it if I have ZERO access

[Victek123]

Quote:

Originally Posted by overangry

Good to see.
Only question I would have is how to use it if I have ZERO access

I haven't tried it myself, but I observed it being used in a video and apparently it will run in an infected system. Generally, if a removal tool will not run from the normal desktop you try SAFE mode, and if that doesn't work you boot from a "rescue disk" (CD/DVD) and run the tool from there. Many security venders offer a rescue disk as part of a complete security solution. For instance Symantec has the Norton Bootable Recovery Tool.

[PrevxHelp]

Quote:

Originally Posted by overangry

No, it does no better than the other AV's.
Only today, WSA was crippled by Zero Access in my VM.
Once infected, you're history. It doesn't remove it after the fact.

Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen.

Thanks!

[overangry]

Quote:

Originally Posted by PrevxHelp

Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen.

Thanks!

I'll try to locate it for you Joe
Can you please let me know if I can submit a suspect file, via system tools to support.
I believe that this was not available during the Beta test phase.

[PrevxHelp]

Quote:

Originally Posted by overangry

I'll try to locate it for you Joe
Can you please let me know if I can submit a suspect file, via system tools to support.
I believe that this was not available during the Beta test phase.

It's probably worth sending it to me directly to report@prevxresearch.com so that I get it in hand.

[EraserHW]

Quote:

Originally Posted by overangry

Good to see.
Only question I would have is how to use it if I have ZERO access

It's enough to run the tool and follow the instructions listed on the screen.

Do you need any help about how to use it?

[overangry]

Quote:

Originally Posted by PrevxHelp

Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen.

Thanks!

I'm sorry Joe, I was unable to locate the file in question.
If/when I come across another I will send it to you.

[overangry]

Quote:

Originally Posted by EraserHW

It's enough to run the tool and follow the instructions listed on the screen.

Do you need any help about how to use it?

Hi EraserHW,
I'll try to get infected in my VM, then I'll see if I can run the tool.
My experience with zero access malware is varied. With some you have a little control, they can be neutralized. Others cannot, even in safe mode they manage to block all access to your PC.
The only solution is to use a bootable CD or restore the snapshot.

That said, I haven't read any documentation on this removal tool, which I will do now.
It was more or less, a question to myself "how is it possible"?

Thanks Eraser for your offer of help, I'll have a look at it sometime today and post my experience.

[EraserHW]

Quote:

Originally Posted by overangry

Hi EraserHW,
I'll try to get infected in my VM, then I'll see if I can run the tool.
My experience with zero access malware is varied. With some you have a little control, they can be neutralized. Others cannot, even in safe mode they manage to block all access to your PC.
The only solution is to use a bootable CD or restore the snapshot.

That said, I haven't read any documentation on this removal tool, which I will do now.
It was more or less, a question to myself "how is it possible"?

Thanks Eraser for your offer of help, I'll have a look at it sometime today and post my experience.

You're welcome

You'll find a lot of documentation about ZeroAccess rootkit in our blog:

http://www.prevxresearch.com/zeroaccess_analysis.pdf (which is going to be updated with last technical details as well)

http://blog.webroot.com/2011/08/08/t...e-of-the-same/

http://blog.webroot.com/2011/07/19/z...nother-update/

http://www.prevx.com/blog/171/ZeroAc...e-rootkit.html