WSA beta and zeroaccess rootkit

Discussion in 'Prevx Betas' started by Victek, Oct 3, 2011.

Thread Status:
Not open for further replies.
  1. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,390
    Location:
    USA
    I've been hearing a lot recently about the zeroaccess rootkit and it's ability to disable security software in real-time. Has anyone tested WSA against zeroacces? Can it effectively prevent the rootkit from installing or remove it after the fact?
     
  2. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    No, it does no better than the other AV's.
    Only today, WSA was crippled by Zero Access in my VM.
    Once infected, you're history. It doesn't remove it after the fact.
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,399
    Location:
    DC Metro Area
  4. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
  5. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    4,390
    Location:
    USA
    I haven't tried it myself, but I observed it being used in a video and apparently it will run in an infected system. Generally, if a removal tool will not run from the normal desktop you try SAFE mode, and if that doesn't work you boot from a "rescue disk" (CD/DVD) and run the tool from there. Many security venders offer a rescue disk as part of a complete security solution. For instance Symantec has the Norton Bootable Recovery Tool.
     
  6. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen.

    Thanks!
     
  7. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I'll try to locate it for you Joe
    Can you please let me know if I can submit a suspect file, via system tools to support.
    I believe that this was not available during the Beta test phase.
     
  8. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    It's probably worth sending it to me directly to report@prevxresearch.com so that I get it in hand.
     
  9. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    587
    Location:
    Italy / UK
    It's enough to run the tool and follow the instructions listed on the screen.

    Do you need any help about how to use it? :)
     
  10. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    I'm sorry Joe, I was unable to locate the file in question.
    If/when I come across another I will send it to you.:)
     
  11. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
    Hi EraserHW,
    I'll try to get infected in my VM, then I'll see if I can run the tool.
    My experience with zero access malware is varied. With some you have a little control, they can be neutralized. Others cannot, even in safe mode they manage to block all access to your PC.
    The only solution is to use a bootable CD or restore the snapshot.

    That said, I haven't read any documentation on this removal tool, which I will do now.:)
    It was more or less, a question to myself "how is it possible"?

    Thanks Eraser for your offer of help, I'll have a look at it sometime today and post my experience.
     
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    587
    Location:
    Italy / UK
    You're welcome :)

    You'll find a lot of documentation about ZeroAccess rootkit in our blog:

    http://www.prevxresearch.com/zeroaccess_analysis.pdf (which is going to be updated with last technical details as well)

    http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/

    http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/

    http://www.prevx.com/blog/171/ZeroAccess-an-advanced-kernel-mode-rootkit.html
     
Thread Status:
Not open for further replies.