ZeroAccess Rootkit Guards Itself with a Tripwire

Discussion in 'malware problems & news' started by Repne movsb, Jul 8, 2011.

Thread Status:
Not open for further replies.
  1. Repne movsb

    Repne movsb Registered Member

    Joined:
    Sep 27, 2010
    Posts:
    13
    http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/

    It kills security software like Hitman Pro, Dr.Web CureIT, Avira On-demand scanner and many others :Cool:
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    At first, I though it's using a security software called Tripwire.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    This is pretty crazy.

    edit: So it manages to bypass UAC, PatchGuard, and typical antiviruses?
     
  4. sm1

    sm1 Registered Member

    Joined:
    Jan 1, 2011
    Posts:
    520
    So it's always safe to use UAC with maximum settings right?
     
  5. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    UAC on Max shouldn't use the whitelist, right? That'll prevent that form of infection at least...
     
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    I don't think it bypasses UAC if you click no during installation.
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I think there's the initial infection, which has to install, and then it tries to bypass UAC to get the payload.

    Haven't really read the whole thing thoroughly, watching a movie.
     
  8. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It also says:

    The way most people become infected with this rootkit today is through exploit kits hosted on drive-by download Web sites. The exploit kits push a dropper to the victim PC and executes it.

    So, the most common way of a user becoming infected with it, is by visiting a website hosting exploits, resulting in drive-by downloads.

    If the exploit succeeds, then The dropper attempts to evade UAC by executing a new, code-injected instance of explorer.exe.
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks for that m00n.

    Any info on removal? I would think manual removal is the easiest method.
     
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    By the way, Webroot is providing the list of C&C servers for July and August.

    So, you can proactively block access to those domains.

    -http://webrootblog.files.wordpress.com/2011/07/zeroaccess_domains_jul2011.doc

    -http://webrootblog.files.wordpress.com/2011/07/zeroaccess_domains_aug2011.doc

    I guess we can expect a new variant by then.
     
  11. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Thanks m00n.
     
  12. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I couldn't find anything else, concerning removal of this new variant. But, I guess it's a matter of time until security vendors come with the solution.

    But, according to the Webroot's article, the new x86 variant isn't that much different than the previous one, except the only notable difference being the way of the rootkit generates the payload’s filename.

    Link to the whitepaper -http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf

    Perhaps this analysis may also shed some lights. It's not for the recent variant, but nonetheless it may be worth reading it. -http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/
     
  13. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    :thumb:

    I guess one could block the entire chinese IP netblock. :D
     
  14. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    I submitted the files to MVPS.
     
  15. hpmnick

    hpmnick Registered Member

    Joined:
    Mar 24, 2011
    Posts:
    186
    I'm assuming this targets IE... so I'd like to know what is going on to bypass the Sandbox? A low IL process of explorer should be able to do nothing, no?

    (EDIT)Probably a new method of this:
    http://secunia.com/advisories/38547/
     
  16. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    It makes use of exploits, so it could be a number of things.

    It is not unlikely that it also targets Firefox, the second most popular browser. It might not even effect IE9, could just be IE8 and earlier.

    I'd be interested in hearing mroe about this.
     
  17. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,388
    Location:
    Lancashire
    i still dont believe in 'drive by' exploits, someone PM me a link and i will go to that address, i bet at some point i will have to click 'OK' to get infected which therefore does not make it a 'drive by' exploit.

    if anyone disagrees with this then give me a link and PROVE me wrong...
     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Yea, I've seen you ask before. Like EVERYONE has told you, websites that host exploits don't just sit around and linger. They stay around for a day or two (tops) and then they're cleaned up or removed. Same with infected webpages.

    That scary rootkit posted in the other topic? It's mainly distributed through exploits.
     
  19. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
  20. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Well, I PMed a source of malicious links. If you keep pushing, you may find what you're looking for. :-*

    Heck, I can PM you a lot more... but, as you've been told, domains hosting exploits don't last that long. Some (very few) may last 1 or 2 days, but that's about it.

    Be persistent. :argh:
     
  21. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    o_o can I get that PM too?

    I mean, most exploited sites simply don't last. They're usually hijacked and the admins either shut it down or clean it up. That or the site's simply removed for malicious activity.
     
  22. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I haven't come across many domains hosting exploits for longer than a few hours. But, sometime ago I found a couple links at MDL that were still up by the time I checked them with Wepawet.
     
  23. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
  24. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
  25. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
    It's another rootkit foiled by PatchGuard
     
Loading...
Thread Status:
Not open for further replies.