Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Postby EP_X0FF » Sun Mar 14, 2010 1:43 pm

ZeroAccess (aka Sirefef) common information.

Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:

  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of integrated Windows security features

Payload: clickfraud, bitcoin mining.
Features: p2p engine for botnet organization.

ZeroAccess timeline, thanks to rin.


All mentioned PDF files attached to the post, no pass.

****************************************************************************************

Original post below.
Infects (replaces) system drivers.
Injects dll into address space of some trusted processes. Actively counteracts detection (stealing driver objects of disk.sys
and pci.sys) and removal. Driver install ImageLoad notification and performing IRP hooking for disk storage driver (disk.sys).
Payload dll performing a lot of modifications in user mode (splicing).

Previous generation of this rootkit was acting like file system redirector, killing detection software when it is trying to access
rootkit data.

VirusTotal
http://www.virustotal.com/analisis/d22425d964751152471cca7e8166cc9e03c1a4a2e8846f18b665bb3d350873db-1268574110

MD5
d8f6566c5f9caa795204a40b3aaaafa2

SHA1
d0b7cd496387883b265d649e811641f743502c41
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: Rootkit ZeroAccess (aka MAX++)

Postby ConanTheLibrarian » Mon Mar 15, 2010 2:38 pm

I have yet to see any applications that are commercially free that will detect and remove this. By commercially free I mean free for use without restrictions by companies for profit.
User avatar
ConanTheLibrarian
 
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Reputation point: 6

Re: Rootkit ZeroAccess (aka MAX++)

Postby gjf » Mon Mar 15, 2010 3:46 pm

Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: Rootkit ZeroAccess (aka MAX++)

Postby EP_X0FF » Mon Mar 15, 2010 4:30 pm

Hello,

gjf wrote:Could you please provide more info concerning detection and removal?


It can be detected by public version of Rootkit Unhooker. Due to rootkit technology it steals disk.sys and pci.sys driver objects. These drivers double-listed by RkU. Also it has unknown image notify callback.
I've tried the following removal - overwrite replace driver with original (sometimes even simple copy-paste works) and reset system.
Typically antirootkits will not show you faked driver, because they only show discrepancies between file system data and raw disk data (files that hidden from API enumeration).
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

WinLocker with some rootkit technology

Postby gjf » Wed Mar 17, 2010 12:14 pm

Dear All!

Could you please help in analysis of the following:
hxxp://www.mediafire.com/?wgxtxmyybiy
hxxp://www.mediafire.com/?zzjmjmzorln
(possibly the same just repacked versions)

What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwares in the beginning of this year.

What is interesting:
1. The malware detects virtualization and doen't install (tested under VMWare 7.0.1 build-227600 - so that's why I cannot analyze it by myself and asking for your help).
2. It installs and hides system driver under name "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\b48dadf8.sys" or something like that patching some active system driver. The original driver is stored under crypted name.
3. It locks Windwos etc :)

Now the main way to remove this malware is to run the built-in uninstall procedure. But it is very interesting to know what to do if such procedure is omitted :)

Possibly I will present all versions of this locker so we can investigate the changes from version to version. If it will be found interesting of course.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: WinLocker with some rootkit technology

Postby Tuanloc » Wed Mar 17, 2010 12:58 pm

What is the Password to extract this file?
Tuanloc
 
Posts: 3
Joined: Tue Mar 16, 2010 11:26 am
Reputation point: 0

Re: WinLocker with some rootkit technology

Postby gjf » Wed Mar 17, 2010 1:10 pm

Oh, sure. The password is virus
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Re: WinLocker with some rootkit technology

Postby Tuanloc » Wed Mar 17, 2010 1:48 pm

You can upload the virus to http://www.threatexpert.com.
They will reply the result after 2 minutes.
Tuanloc
 
Posts: 3
Joined: Tue Mar 16, 2010 11:26 am
Reputation point: 0

Re: WinLocker with some rootkit technology

Postby EP_X0FF » Wed Mar 17, 2010 1:52 pm

Hello,

you can try use Desktops from SysInternals.
Set it before running sample and then switch desktop.
I doubt that this malware has something against this.

Regards.
Ring0 - the source of inspiration
User avatar
EP_X0FF
Global Moderator
 
Posts: 4752
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Reputation point: 562

Re: WinLocker with some rootkit technology

Postby gjf » Wed Mar 17, 2010 2:25 pm

EP_X0FF,

Possibly you understood me incorrectly. I am not asking about way how to cure this infection. Actually I know that (calling built-in uninstaller). I am talking now about the way this malware hides itself and how to remove it if the present version will be developed.

In real life I cannot work at all after infection because of locking - so I cannot install use Desktops. Sure, I can install Desktops and use it forever as defense tool, but it is not the way we are talking about.

Consequently, I cannot use Desktops for analysis because I cannot risk my working system at present time - and virtualization does not work. That's why I have posted this subj exepecting someone more experienced will help. Moreover it could be of interest taking into account our topic here.
VirusInfo / Defendium / SafeZone Helpers Crew
User avatar
gjf
 
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Reputation point: 26

Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 7 guests