ZeroAccess rootkit dissected

Discussion in 'other security issues & news' started by Melf, Apr 12, 2012.

Thread Status:
Not open for further replies.
  1. Melf

    Melf Registered Member

    Sep 7, 2010
    Write-up by Sophos here. The write-up gives a pretty broad overview of attack vectors to worry about in today's systems, so thought I would summarize and offer comment:

    - Infections opt for one of 2 general tactics:
    1) Exploit a vulnerability in applications like your browser, mail client, or document viewers, that allow scripting (especially flash and java). The exploit allows the script to run, which downloads and executes a file. The most common exploits are seen in browsers when users navigate to sites that have been compromised, or are serving up ads that have been compromised. Although it is possible in principle for the script itself to do all sorts of damage, most infections rely on the download of an executable, presumably because they're easier to gain total control over the system with.
    2) Use social engineering to trick you into executing a malicious file because you think it is something else (typically some pirated software). Often to divert suspicion the actual thing you were trying to pirate is included, while the malware is installed in the background.

    - Interesting features of ZeroAccess:
    1) To gain hold on the system so that it can defend itself from discovery and removal it needs administrator access. UAC helps a little here, but ZeroAccess has a neat trick up its sleeve - the download includes a clean copy of the Adobe Flash installer, and it is actually the Flash installer that is executed. The user is presented with the UAC prompt showing the legitimate credentials of Adobe and sees that it is the flash installer as opposed to whatever illegal warez they just downloaded. So they click yes, the Flash installation proceeds, and it attempts to load a system DLL that it calls. Except that ZeroAccess supplies its own DLL of the same name, which Windows finds before ever getting to the real DLL, since it looks in the same directory before wandering over to \system32.
    2) On 32-bit systems the admin credentials are used to patch the OS kernel. This is totally game over on 32-bit systems, the rootkit controls the hard drive directly and can offer up apparently clean files to any scanner looking in its sector. On 64-bit systems this does not happen - even with a sophisticated kit like this, 64-bit PatchGuard has not been bypassed. As opposed to TDL which still tries for direct disk access (MBR/creating its own boot partition), ZeroAccess on 64-bit limits itself to a user space infection. Autorun persistence is achieved through a \winlogon registry key in HKCU.
    3) On 32-bit systems with rootkit functionality ZeroAccess hides itself. But it also leaves open a non-hidden "bait" process. Any program attempting to interact with this process is almost certainly security software, and will be aggressively targeted by the real rootkit. This includes modification of the security program's ACL so that it can not be executed unless the ACL is set back again (outside the reach of most users and not protected by most security programs, I gather).

    For interest the payload is usually to become part of a botnet so that you can help the authors earn money by participating in click fraud (pinging websites that pay for traffic) and spamming emails. ZeroAccess is available for other malware authors to rent space on, to aid in the distribution of their malware.

    Take home messages from this for me:
    1) Do NOT enable security software to automatically trust digital certificates from trustworthy sources
    2) DO have execution control or rights restrictions on your downloaded files
    3) If you must pirate software, do NOT pirate newly released stuff that requires admin privileges to install (and this is most things)
    4) DO guard against autoruns, which can easily be altered with user privileges
    5) DO use a firewall, which will stop a user-space payload from downloading more malware (or if the infection came through a document viewer, you may have stopped the payload itself from ever being downloaded), and stop you from contributing to the global spam epidemic
Thread Status:
Not open for further replies.