WSA beta and zeroaccess rootkit

Discussion in 'Prevx Betas' started by Victek, Oct 3, 2011.

Thread Status:
Not open for further replies.
  1. Victek
    Online

    Victek Registered Member

    I've been hearing a lot recently about the zeroaccess rootkit and it's ability to disable security software in real-time. Has anyone tested WSA against zeroacces? Can it effectively prevent the rootkit from installing or remove it after the fact?
  2. overangry
    Offline

    overangry Registered Member

    No, it does no better than the other AV's.
    Only today, WSA was crippled by Zero Access in my VM.
    Once infected, you're history. It doesn't remove it after the fact.
  3. hawki
    Offline

    hawki Registered Member

  4. overangry
    Offline

    overangry Registered Member

  5. Victek
    Online

    Victek Registered Member

    I haven't tried it myself, but I observed it being used in a video and apparently it will run in an infected system. Generally, if a removal tool will not run from the normal desktop you try SAFE mode, and if that doesn't work you boot from a "rescue disk" (CD/DVD) and run the tool from there. Many security venders offer a rescue disk as part of a complete security solution. For instance Symantec has the Norton Bootable Recovery Tool.
  6. PrevxHelp
    Offline

    PrevxHelp Prevx Moderator

    Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen.

    Thanks!
  7. overangry
    Offline

    overangry Registered Member

    I'll try to locate it for you Joe
    Can you please let me know if I can submit a suspect file, via system tools to support.
    I believe that this was not available during the Beta test phase.
  8. PrevxHelp
    Offline

    PrevxHelp Prevx Moderator

    It's probably worth sending it to me directly to report@prevxresearch.com so that I get it in hand.
  9. EraserHW
    Offline

    EraserHW Prevx Moderator

    It's enough to run the tool and follow the instructions listed on the screen.

    Do you need any help about how to use it? :)
  10. overangry
    Offline

    overangry Registered Member

    I'm sorry Joe, I was unable to locate the file in question.
    If/when I come across another I will send it to you.:)
  11. overangry
    Offline

    overangry Registered Member

    Hi EraserHW,
    I'll try to get infected in my VM, then I'll see if I can run the tool.
    My experience with zero access malware is varied. With some you have a little control, they can be neutralized. Others cannot, even in safe mode they manage to block all access to your PC.
    The only solution is to use a bootable CD or restore the snapshot.

    That said, I haven't read any documentation on this removal tool, which I will do now.:)
    It was more or less, a question to myself "how is it possible"?

    Thanks Eraser for your offer of help, I'll have a look at it sometime today and post my experience.
  12. EraserHW
    Offline

    EraserHW Prevx Moderator

    You're welcome :)

    You'll find a lot of documentation about ZeroAccess rootkit in our blog:

    http://www.prevxresearch.com/zeroaccess_analysis.pdf (which is going to be updated with last technical details as well)

    http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/

    http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/

    http://www.prevx.com/blog/171/ZeroAccess-an-advanced-kernel-mode-rootkit.html
Thread Status:
Not open for further replies.