ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

ZeroAccess (alias MaxPlus, Sirefef)

Postby thisisu » Thu May 03, 2012 5:13 am

I would appreciate if others would take a deeper look into this one / add comments.

MD5: 2efe003b8969fa946f194333152f334c
https://www.virustotal.com/file/8be9b39 ... /analysis/

This has some ZeroAccess similarities, it could be something new as I have not seen this type of folder created before.

Here are the notes I've gathered so far:

%Windir% reparse point folder is missing but the following folder is created: C:\WINDOWS\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}
Inside this folder is:
Folder: L [empty]
Folder: U [inside is: 00000001.@, 800000cb.@, 80000000.@]
File: @ [2kb]
File: n [44kb]

This folder is created too but isn't as complete as previous one: %userprofile%\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}

No infected drivers or services.

Code: Select all
========== regfind ==========

Searching for "1982f959-ca43-079e-42d0-55eab62fdb19"
[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
@="\\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
[HKEY_USERS\S-1-5-21-1644491937-1383384898-854245398-1003_Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32]
@="C:\Documents and Settings\thisisu\Local Settings\Application Data\{1982f959-ca43-079e-42d0-55eab62fdb19}\n."
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby EP_X0FF » Thu May 03, 2012 6:38 am

This is user mode only backdoor variant, running through masqueraded CLSID, injecting payload "n" dll into Explorer memory. All others are win32 ZeroAccess component dlls.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby thisisu » Thu May 03, 2012 3:43 pm

Thanks EP_X0FF :)
Was this something you've seen before?

For those interested, ThreatExpert report: http://www.threatexpert.com/report.aspx ... 33152f334c
Last edited by thisisu on Thu May 03, 2012 6:29 pm, edited 1 time in total.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby EP_X0FF » Thu May 03, 2012 4:00 pm

Yes, basically this is ZeroAccess with the cut-off rootkit part.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby thisisu » Fri May 04, 2012 2:53 am

The following Registry Value was modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32]
(Default) =


Default should be: C:\WINDOWS\system32\wbem\wbemess.dll

This variant changes it to: \\.\globalroot\systemroot\Installer\{1982f959-ca43-079e-42d0-55eab62fdb19}\n.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby thisisu » Fri May 04, 2012 3:30 am

Another sample of the above (backdoor only):

MD5: 32105ea0c50fce1288ffabac627347eb
https://www.virustotal.com/file/779b07d ... /analysis/
http://www.threatexpert.com/report.aspx ... ac627347eb
You do not have the required permissions to view the files attached to this post.
User avatar
thisisu
 
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Reputation point: 65

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby hot_UNP » Fri May 04, 2012 9:19 am

Another sample...

md5:9F969277F87403CC8FB5E2FFB97A0301

this time Virustotal... File not found
You do not have the required permissions to view the files attached to this post.
hot_UNP
 
Posts: 4
Joined: Thu Mar 18, 2010 12:49 pm
Reputation point: 0

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby RomaNNN » Fri May 04, 2012 3:14 pm

hot_UNP wrote:Another sample...

md5:9F969277F87403CC8FB5E2FFB97A0301

this time Virustotal... File not found


https://www.virustotal.com/file/74e2260 ... 336144334/
RomaNNN
 
Posts: 9
Joined: Tue Oct 18, 2011 12:29 pm
Reputation point: 0

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby rkhunter » Sat May 12, 2012 7:06 am

Any idea why ZeroAccess droppers now distributes without rootkit?
User avatar
rkhunter
 
Posts: 1146
Joined: Mon Mar 15, 2010 12:51 pm
Location: Russian Federation
Reputation point: 147

Re: Rootkit ZeroAccess (alias Max++, Sirefef)

Postby EP_X0FF » Sat May 12, 2012 8:05 am

Maybe they are finally realized - it was a worst piece of shit? If speak seriously if you take a look on zeroaccess timeline - it's about time for another generation. So probably there will be something interesting in future.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 11 guests