ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.
unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by unixfreaxjp » Mon Mar 24, 2014 2:50 pm

Sirefef resurrected, date stamp 20/03/2014

Allow me to ask: The previous method to kill this botnet can be applied to fight him also in this round too, yes?
For security purpose you don't have to answer it if "yes".

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Mon Mar 24, 2014 3:12 pm

As long as this botnet have infrastructure over p2p it can be disrupted. ZeroAccess waited few months and resurrected as I believe in "test" mode (only one plugin in network) to see how quick the MS response may be delivered/created.
Ring0 - the source of inspiration

unixfreaxjp
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by unixfreaxjp » Tue Mar 25, 2014 2:27 am

I don't know ZA the "botnet" part well like you folks. I respect what you all did, cool work.
But he's lurking.. since the infra is there, as per afraid of http://www.kernelmode.info/forum/viewto ... 490#p21817
Let's nail his ID, and compile a crime case to LE friends,
off list discussion is OK? Let's work it out. We can do this!

rgds

flyroom
Posts: 4
Joined: Mon Nov 26, 2012 10:01 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by flyroom » Wed Mar 26, 2014 4:54 am

Another plugin seen on ZeroAccess with port 16470
800000CB.7z
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Wed Mar 26, 2014 9:59 am

Is it currently in zeroaccess network? I'm asking because this is old z00clicker from oct 2013.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

flyroom
Posts: 4
Joined: Mon Nov 26, 2012 10:01 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by flyroom » Thu Mar 27, 2014 2:32 am

EP_X0FF wrote:Is it currently in zeroaccess network? I'm asking because this is old z00clicker from oct 2013.
No, this plugin is not in za v2 now. From my latest crawling of za v2, there're only three functional plugins

flyroom
Posts: 4
Joined: Mon Nov 26, 2012 10:01 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by flyroom » Thu Mar 27, 2014 2:52 am

Updating in progress, another new plugin today, spreads on 16464 branch
btw, the plugin 800000CB on 16470 branch uploaded yesterday just disappeared, seems deleted by botmaster
80000001_16464.7z
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by EP_X0FF » Thu Mar 27, 2014 4:22 am

It is 6 month old plugin from aug 2013.
I don't see anything new except two clickfraud modules.
Ring0 - the source of inspiration

AronPX
Posts: 9
Joined: Sun Apr 27, 2014 1:01 am

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by AronPX » Sun Apr 27, 2014 1:26 am

Does anyone have new sample of za?

User avatar
thisisu
Posts: 362
Joined: Sun Feb 26, 2012 8:57 am
Contact:

Re: ZeroAccess (alias MaxPlus, Sirefef)

Post by thisisu » Mon Apr 28, 2014 2:07 am

AronPX wrote:Does anyone have new sample of za?
Have a PC now with ZA that contains *etadpug service. Is that still newest variant?

Post Reply