I've been hearing a lot recently about the zeroaccess rootkit and it's ability to disable security software in real-time. Has anyone tested WSA against zeroacces? Can it effectively prevent the rootkit from installing or remove it after the fact?
No, it does no better than the other AV's. Only today, WSA was crippled by Zero Access in my VM. Once infected, you're history. It doesn't remove it after the fact.
I haven't tried it myself, but I observed it being used in a video and apparently it will run in an infected system. Generally, if a removal tool will not run from the normal desktop you try SAFE mode, and if that doesn't work you boot from a "rescue disk" (CD/DVD) and run the tool from there. Many security venders offer a rescue disk as part of a complete security solution. For instance Symantec has the Norton Bootable Recovery Tool.
Could you send me the dropper you've used? We should protect against ZeroAccess without a problem but there are indeed many versions out so it's hard to say which you'd have seen. Thanks!
I'll try to locate it for you Joe Can you please let me know if I can submit a suspect file, via system tools to support. I believe that this was not available during the Beta test phase.
It's enough to run the tool and follow the instructions listed on the screen. Do you need any help about how to use it?
I'm sorry Joe, I was unable to locate the file in question. If/when I come across another I will send it to you.
Hi EraserHW, I'll try to get infected in my VM, then I'll see if I can run the tool. My experience with zero access malware is varied. With some you have a little control, they can be neutralized. Others cannot, even in safe mode they manage to block all access to your PC. The only solution is to use a bootable CD or restore the snapshot. That said, I haven't read any documentation on this removal tool, which I will do now. It was more or less, a question to myself "how is it possible"? Thanks Eraser for your offer of help, I'll have a look at it sometime today and post my experience.
You're welcome You'll find a lot of documentation about ZeroAccess rootkit in our blog: http://www.prevxresearch.com/zeroaccess_analysis.pdf (which is going to be updated with last technical details as well) http://blog.webroot.com/2011/08/08/tdl3-and-zeroaccess-more-of-the-same/ http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/ http://www.prevx.com/blog/171/ZeroAccess-an-advanced-kernel-mode-rootkit.html