ZeroAccess Rootkit Launched by Signed Installers

Discussion in 'other security issues & news' started by Zyrtec, Dec 3, 2011.

Thread Status:
Not open for further replies.
  1. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA


    http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers
     
  2. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Figures. The cert system is so fundamentally broken.
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Where does the user get this Flash Player installer that launches the malware? The blog doesn't say.

    Not from the Adobe site, I would imagine.


    ----
    rich
     
  5. wat0114

    wat0114 Guest

    I would imagine you're right :)
     
  6. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    The Flash installer is legit. The malware DLL isn't.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    OK, I'm evidently not understanding something.

    According to the blog,

    So, It appears the user has to already be compromised with a malware DLL, for the Flash installer to do its work.

    Is this a correct assumption?


    thanks,

    -rich
     
  8. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Include flash's installer in the payload, inject into it, execute flash? I assume that's all it is.
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    What payload?
     
  10. wat0114

    wat0114 Guest

    From the article:

    Somehow the malicious dll installs the rootkit by the looks of it? The dll seems to be included with the legitimate Flash installer, as MrBrian alludes to.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    So, how does the user get this Flash Installer packaged with a malware DLL?

    That is not addressed in the blog, unless I've missed something.
     
  12. wat0114

    wat0114 Guest

    Good question Rich :)

    *EDIT*

    the rootkit is disguised as the dll, which is named as msimg32.dll that the legitimate Flash installer sees as a legitimate associated dll. The installer won't look in the normal directory for it, wherever that directory normally is, because the installer and the malicious dll are together in the same directory.
     
    Last edited by a moderator: Dec 4, 2011
  13. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I sent a comment to mcafee asking how a user gets this "ZeroAccess package" (legitimate installer + malware DLL) onto the computer in the first place, to then execute the installer.

    See this screenshot in the blog, prefaced by this comment:

    "Below we see how the ZeroAccess package may look in a designated folder on a test machine."

    http://blogs.mcafee.com/wp-content/uploads/2011/11/ZeroAccessPackage2.png

    I hope they will respond.


    ----
    rich
     
  14. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I would think social engineering.
     
  15. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Maybe you get an infection without admin rights, it downloads the adobe, injects into adobe, and launches/ bypasses UAC?

    No clue.
     
  16. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Hi Rich,

    Would it not be a simple drive by download to the Download directory, the Temp dir in Appdata\Local and C:\Windows\Temp be sufficient. Even a standard user has write (and execute) access to these directories.

    This downloaded DLL would be the Egg which will be Hunted by the auto-updater of adobe. The Adobe Flash auto-updater becomes the auto-breeder of the planted egg (the dll containing the malware).

    Java updater or Silverlight updater would also be possible auto-breeding candidates (some of them even use task scheduler to elevate quietly to High Rights).

    See http://support.microsoft.com/kb/2389418 for an explanation of this intrusion due to lousy programming standards.

    Chrome is using its own PDF and Flash versions (which are sandboxed), combine it with for instance Foxit Reader and stay away from popular plug-ins from big companies with lacking programming standards.

    Regards.
     
    Last edited: Dec 4, 2011
  17. wat0114

    wat0114 Guest

    I don't think anything is autoupdated; the signed Adobe Installer has to be manually executed. Since the malicious dll the installer sees as a dependency is in the same directory the installer resides in, it gets launched and the following happens:

    ...so the rootkit injects svchost.exe to get the ball rolling.

    It looks like it probably is social engineering as MrBrian states, tricking the user into downloading the Flash installer from somewhere unofficial, which might be zipped with the malicious dll, so that the Flash installer and malicious dll unzip to the same directory.

    It seems easy enough to avoid this; just download Flash from the official website to a known directory, preferrably empty, then install it from there.

    Anyways, hopefully Rich has his querry answered.
     
  18. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    It still comes down to one thing only - uneducated user. From what I understood so far, the malware needs to come packaged with Adobe Flash Player, right?

    Security vendors always fail to provide good practices, such as getting Adobe Flash Player from the official website. This would solve it, no? o_O

    The method may change a bit... the rest is... FUD... IMHO
     
  19. wat0114

    wat0114 Guest

    m00nbl00d, you've just stated it best :thumb: :)

    BTW, here's a very detailed analysis on the zeroaccess rootkit with some main points posted:

    -http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/
    It essentially comes down to the user, not surprisingly, but unfortunately, as m00nbl00d has correctly stated, these reports always fail to mention this and how easily these malware can be avoided.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Here are a few other attack methods of ZeroAccess in the past year or so, similar to how any malware trojan infects:

    Remove ZeroAccess (Removal Guide),
    http://www.cleanpcguide.com/remove-zeroaccess-removal-guide-how-to-remove-zeroaccess/
    Malicious Ads on Bing Lead to ZeroAccess Trojan
    http://198.65.112.157/en_us/blogs/m...t Sidebar Topics&utm_campaign=Malware Attacks
    Sponsored Results of Bing and Yahoo are too difficult to remove have rootkit
    http://letsbytecode.com/tag/zeroaccess/
    __________________________________________________________________________​

    But this current attack is different: somehow, two files have to get onto the computer and then the trusted one has to execute. If it's a drive by download of some type, well, that's easy enough to block. But if some type of social engineering attack, what has been speculated here so far is as good a guess as any, I suppose!


    ----
    rich
     
    Last edited: Dec 4, 2011
  21. wat0114

    wat0114 Guest

    Right, how the fake dll gets onto the user's machine (although the article states it's packaged together with the installer), is speculation on my part, but there's little doubt as to how the fake dll is launched; it's done so by the legitimate Flash installer, because MSIMG32.DLL is one of its dependencies, so in a normal installation, the Microsoft MSIMG32.DLL, located in %SYSTEM32%\ is launched, but in this case the fake dll is located in the same directory as the Flash installer, so it will get loaded because as stated in the article:
    The defined path is, of course, %System32%.

    Just out of curiosity sake, I tried PE explorer in the vm to check for that particular dependency of the Flash installer, and sure enough it's there.
     

    Attached Files:

  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I understand that; it's how the "package" gets onto the computer in the first place that remains a mystery.


    ----
    rich
     
  23. wat0114

    wat0114 Guest

    Sorry for reiterating things, but until my previous post, I couldn't be certain that was how the infection worked until I ran the PE Explorer to check for the MSIMG32.DLL dependency for the Flash installer.

    As for how it gets onto one’s computer, I think a couple of the links you posted might explain it.

    A user gets duped into downloading the installer through a rogue ad, as some quotes from those articles would indicate.

    Maybe the installer, along with the malicious dll, are packaged together as, for example, a .RAR or .ZIP, so when they’re extracted, they both land together in the chosen directory.

    The user installing the Flash executable doesn’t clue in or notice the malicious dll, and it’s game over.

    If one is to follow the advice from one of those articles:
    ...then problems is easily avoided.
     
  24. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Hi Kees,

    Good reasoning!

    I just heard back from one of the authors of the blog, and they "suspect a driveby download" because they have found the two files in a Temp directory, and in a Download directory for Firefox.

    He doesn't know the specifics of the attack, which I take to mean they haven't discovered a web site so as to take a peek at the code to see what vulnerability is being exploited.


    ----
    rich
     
    Last edited: Dec 4, 2011
  25. wat0114

    wat0114 Guest

    I've copied the legitimate msimg32.dll to both my user's (admin account in vm) Downloads and Appdata\local\Temp directories, and launching the Flash installer from either place results in the dll being invoked from the %system32% directory. The same thing using the syswow64 dll for the 64 bit installer. This is obviously preferred behaviour, so I wonder why it would launch the fake dll discussed in the article, unless that was an older Flash installer vulnerable to invoking the dependency from the unintended directory?
     
Loading...
Thread Status:
Not open for further replies.