ZeroAccess Rootkit Guards Itself with a Tripwire

http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/

It kills security software like Hitman Pro, Dr.Web CureIT, Avira On-demand scanner and many others :Cool:

 

At first, I though it's using a security software called Tripwire.

 

This is pretty crazy.

edit: So it manages to bypass UAC, PatchGuard, and typical antiviruses?

 

So it's always safe to use UAC with maximum settings right?

 

UAC on Max shouldn't use the whitelist, right? That'll prevent that form of infection at least...

 

I don't think it bypasses UAC if you click no during installation.

 

I think there's the initial infection, which has to install, and then it tries to bypass UAC to get the payload.

Haven't really read the whole thing thoroughly, watching a movie.

 

It also says:

The way most people become infected with this rootkit today is through exploit kits hosted on drive-by download Web sites. The exploit kits push a dropper to the victim PC and executes it.

So, the most common way of a user becoming infected with it, is by visiting a website hosting exploits, resulting in drive-by downloads.

If the exploit succeeds, then The dropper attempts to evade UAC by executing a new, code-injected instance of explorer.exe.

 

Thanks for that m00n.

Any info on removal? I would think manual removal is the easiest method.

 

By the way, Webroot is providing the list of C&C servers for July and August.

So, you can proactively block access to those domains.

-http://webrootblog.files.wordpress.com/2011/07/zeroaccess_domains_jul2011.doc

-http://webrootblog.files.wordpress.com/2011/07/zeroaccess_domains_aug2011.doc

I guess we can expect a new variant by then.

 

Thanks m00n.

 

I couldn't find anything else, concerning removal of this new variant. But, I guess it's a matter of time until security vendors come with the solution.

But, according to the Webroot's article, the new x86 variant isn't that much different than the previous one, except the only notable difference being the way of the rootkit generates the payload’s filename.

Link to the whitepaper -http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf

Perhaps this analysis may also shed some lights. It's not for the recent variant, but nonetheless it may be worth reading it. -http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/

 

I guess one could block the entire chinese IP netblock.

 

I submitted the files to MVPS.

 

I'm assuming this targets IE... so I'd like to know what is going on to bypass the Sandbox? A low IL process of explorer should be able to do nothing, no?

(EDIT)Probably a new method of this:
http://secunia.com/advisories/38547/

 

It makes use of exploits, so it could be a number of things.

It is not unlikely that it also targets Firefox, the second most popular browser. It might not even effect IE9, could just be IE8 and earlier.

I'd be interested in hearing mroe about this.

 

i still dont believe in 'drive by' exploits, someone PM me a link and i will go to that address, i bet at some point i will have to click 'OK' to get infected which therefore does not make it a 'drive by' exploit.

if anyone disagrees with this then give me a link and PROVE me wrong...

 

Yea, I've seen you ask before. Like EVERYONE has told you, websites that host exploits don't just sit around and linger. They stay around for a day or two (tops) and then they're cleaned up or removed. Same with infected webpages.

That scary rootkit posted in the other topic? It's mainly distributed through exploits.

 

Hi, see what you make of this https://www.wilderssecurity.com/showthread.php?t=302501

 

Well, I PMed a source of malicious links. If you keep pushing, you may find what you're looking for.

Heck, I can PM you a lot more... but, as you've been told, domains hosting exploits don't last that long. Some (very few) may last 1 or 2 days, but that's about it.

Be persistent.

 

o_o can I get that PM too?

I mean, most exploited sites simply don't last. They're usually hijacked and the admins either shut it down or clean it up. That or the site's simply removed for malicious activity.

 

I haven't come across many domains hosting exploits for longer than a few hours. But, sometime ago I found a couple links at MDL that were still up by the time I checked them with Wepawet.

 

Hi guys, if you are interested I've updated the tecnical paper describing the mechanisms behind ZeroAccess at this link: http://www.prevxresearch.com/zeroaccess_analysis.pdf

and I uploaded a small video showing the behavior of ZeroAccess against security software: http://www.youtube.com/watch?v=aoplNh3kT2Y

 

I am technically challenged, so this may be interesting, from November last year.

Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit

Part 2

Part 3

Part 4

 

It's another rootkit foiled by PatchGuard