ZeroAccess Rootkit Guards Itself with a Tripwire

Discussion in 'malware problems & news' started by Repne movsb, Jul 8, 2011.

Thread Status:
Not open for further replies.
  1. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I thought the point is that it gets around PatchGuard?
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Sorry, read older Prevx article, and forgot this one.
     
  3. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Gotcha. Seems like more and more rootkits are now updating to bypass the PatchGuard protection. Microsoft should really release an update...
     
  4. treehouse786

    treehouse786 Registered Member

    Joined:
    Jun 6, 2010
    Posts:
    1,411
    Location:
    Lancashire
  5. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,963
    Location:
    Somethingshire
    No such links here. Look and ask for it elsewhere
     
  6. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Just to better explain some things:

    • ZeroAccess doesn't bypass PatchGuard at all, it uses different ways of infection on x64 and x86 Windows builds
    • on x64 Windows builds ZeroAccess works as a standard user mode malware
    • The kernel mode analysis is related to the x86 driver infection
     
  7. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    I see. Thanks for the clarification Eraser, I appreciate that.
     
  8. Baserk

    Baserk Registered Member

    Joined:
    Apr 14, 2008
    Posts:
    1,321
    Location:
    AmstelodamUM
    Nice vid.
    Avira, Norton AV, Dr. Web, HitmanPro, RKU, they all get butchered.
    But how does Prevx/Webroot do, on a 'ZeroAccess' infected computer?
    No vid of your own product, slaying this monster? Or is it butchered also?

    - edit; On the 'Webroot Threat blog', you wrote; "...As it turned out, we can easily bypass the filtering technique and get to the masked data. We’ve also reversed the code the rootkit uses to generate domain names it will contact for command-and-control..."
    Does this mean, Webroot kills the bugger on an infected PC? I would have shown that in the vid.
     
    Last edited: Jul 13, 2011
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Well, it doesn't just have a blacklist of programs or anything. It has a filtering process that looks for specific commands directed at the rootkits dummy drivers and then it has two rules for whitelisting applications. So, it would seem that all antiviruses/ any 3rd party applications would crash immediately after touching the files.

    edit: And then, of course, as soon as it's killed the rootkit continues on to prevent that process from starting again.

    This new iteration is really cool/ thorough. It's a very creative rootkit. It would be really interesting to see some of these new ideas implemented in future rootkits or even the TDL.

    Edit: And that technical writeup on zeroaccess was great. Thank you.
     
  10. x942

    x942 Guest

    Well yay for SRP and no Escalation from LUA :thumb:
     
  11. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Thanks, good read and much appreciated (and to those who posted other links about this).

    How well does Prevx install, run and remove this rootkit?
     
  12. erikloman

    erikloman Developer

    Joined:
    Jun 4, 2009
    Posts:
    3,152
    Location:
    Hengelo, The Netherlands
    Today we've released Hitman Pro 3.5.9 build 127 that blocks code injection attacks by ZeroAccess.

    I just posted the ZeroAccess rootkit strikes back article on our blog and made a video showing Hitman Pro fighting off the ZeroAccess code injection attack and removing the rootkit from the system.

    http://www.youtube.com/watch?v=61f7Kp18mbk
     
  13. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Awesome. +1 for antimalware I suppose =p
     
  14. RJK3

    RJK3 Registered Member

    Joined:
    Apr 4, 2011
    Posts:
    862
    Ironically, I knew someone who could have used that a few days ago ;)

    I'll pass it on to them. Thanks for the video, didn't realise it altered the permissions.
     
  15. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    Thanks Erik! ;)

    TH
     
  16. AnonRogue

    AnonRogue Registered Member

    Joined:
    Jul 18, 2011
    Posts:
    10
    LMFAO took you security guys long enough to find this jeez...

    There are ring driver based rootkits that bypass every security vendor that is out atm although they are private methods, they work very very well and are stable..

    ~Comments removed per the Terms Of Service for using these forums.~
     
    Last edited by a moderator: Jul 18, 2011
  17. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    ZeroAccess Gets Another Update

    http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/

     
  18. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Doesn't seem like such a major update to me... what's the significance of simply moving some files?
     
  19. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    • Changed the whole way how the files are stored
    • Changed the whole encryption mechanism
    • Improved the self-defense mechanism
    • Extended the self-defense routine to cover more area
    • Added driver's runtime packer

    lol, looks like I'm listing the changelog of a product:D
     
  20. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,146
    Hm. Not sure how I was supposed to extrapolate all of that from that quote.

    Thanks. Will Prevex's analysis be including this latest update any time soon?
     
  21. Malcontent

    Malcontent Registered Member

    Joined:
    Dec 30, 2005
    Posts:
    606
    Location:
    Cleveland, Ohio USA
    If you followed the link to the blog entry from which the quote was taken you would have found a lot more information.
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.