ZeroAccess Rootkit Reversed by White Hat Hacker

Searching_ _ _ · Nov 18, 2010

Bonfa's analysis offers insights into how rootkits work, as well as clues for security companies seeking better ways to stop them. Unfortunately, they'll have their work cut out for them.
That's because ZeroAccess includes hooks into the Windows operating system designed to make it difficult to uninstall without damaging the operating system itself. Once a computer becomes infected with ZeroAccess, the malware pursues a variety of other techniques to stay functional and undetected. For starters, it can use low-level API calls to create new disk volumes for itself, without a user ever seeing suspicious activity. In addition, it can alter system drivers "to allow for kernel-mode delivery of malicious code," said Bonja.
Furthermore, he said, the malware uses low-level disk and file system calls aimed at defeating "popular disk and in-memory forensics tools," and includes defenses against antivirus software detection.
Click to expand...

White Hat Hacker Cracks ZeroAccess Rootkit - InformationWeek

Meriadoc · Nov 19, 2010

Excellent analysis.

Reading the first part from the link at kernelmode.info, eagerly awaited the other three parts to the paper. Again, excellent reversing. Giuseppe 'Evilcry' Bonfa incidentally has wracked up a number of really great analysis at kernelmode.info or with links to papers at InfoSec.

If you don't want to register at the above site for the paper here is the link at InfoSec.

vtol · Nov 19, 2010

goog info. probably the ToS are violated by reverse engineering...

Log in or Sign up

ZeroAccess Rootkit Reversed by White Hat Hacker

Searching_ _ _ Registered Member

Meriadoc Registered Member

vtol Registered Member

Log in or Sign up

ZeroAccess Rootkit Reversed by White Hat Hacker

Searching_ _ _ Registered Member

Meriadoc Registered Member

vtol Registered Member

Useful Searches