Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Forum for analysis and discussion about malware.
Post Reply
PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Rootkit ZeroAccess (aka MAX++)

Post by PX5 » Sat Dec 11, 2010 6:02 pm

Find the protector dll, mine was dropped in a subfolder inside WinSxS, made to appear as a backup file or something since subfolder is named like all backup folders for Vista/7
Arrogance led me to my Ignorance

User avatar
ConanTheLibrarian
Posts: 56
Joined: Mon Mar 15, 2010 1:12 am
Location: USA
Contact:

Re: Rootkit ZeroAccess (aka MAX++)

Post by ConanTheLibrarian » Sat Dec 11, 2010 10:03 pm

vbma*** is not ZeroAcces - it is KillAV.D.

User avatar
B-boy/StyLe/
Posts: 51
Joined: Mon Mar 22, 2010 2:43 am

Re: Rootkit ZeroAccess (aka MAX++)

Post by B-boy/StyLe/ » Sun Dec 12, 2010 10:52 pm

windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Image


Regards,
G. ;)
You do not have the required permissions to view the files attached to this post.

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit ZeroAccess (aka MAX++)

Post by EP_X0FF » Fri Feb 11, 2011 3:24 pm

Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.
You do not have the required permissions to view the files attached to this post.
Ring0 - the source of inspiration

digitalranger
Posts: 1
Joined: Mon Feb 21, 2011 7:20 pm

Re: Rootkit ZeroAccess (aka MAX++)

Post by digitalranger » Mon Feb 21, 2011 8:29 pm

EP_X0FF wrote:Here is some new ZeroAccess build, thanks goes to PX5.
Still infects drivers, still stores data on hidden volume, sample enough reverse-friendly.
It can infect only XP kernel or Win 7 kernel too?

User avatar
EP_X0FF
Global Moderator
Posts: 4882
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Rootkit ZeroAccess (aka MAX++)

Post by EP_X0FF » Wed Feb 23, 2011 9:52 am

It does not infect kernel it infect drivers. Start vm and try yourself.
Ring0 - the source of inspiration

Flopik
Posts: 47
Joined: Wed Sep 08, 2010 5:39 pm

Re: Rootkit ZeroAccess (aka MAX++)

Post by Flopik » Mon Feb 28, 2011 4:50 pm

That's a nice malware , hidden from the PsLoadedModuleList & Object directory

lkd> dt _DRIVER_OBJECT 812203B0
ntdll!_DRIVER_OBJECT
+0x000 Type : 4
+0x002 Size : 168
+0x004 DeviceObject : (null)
+0x008 Flags : 4
+0x00c DriverStart : (null)
+0x010 DriverSize : 0
+0x014 DriverSection : 0x82261b70
+0x018 DriverExtension : 0x81220458 _DRIVER_EXTENSION
+0x01c DriverName : _UNICODE_STRING "\driver\2989018276"
+0x024 HardwareDatabase : (null)
+0x028 FastIoDispatch : 0xf89f6550 _FAST_IO_DISPATCH
+0x02c DriverInit : 0xb2106764 long <Unloaded_dFlr1nhs.SYS>+5764
+0x030 DriverStartIo : (null)
+0x034 DriverUnload : 0xf89f3e52 void +fffffffff89f3e52
+0x038 MajorFunction : [28] 0xf89f3dd9 long +fffffffff89f3dd9


lkd> dt _LDR_DATA_TABLE_ENTRY 0x82261b70
ntdll!_LDR_DATA_TABLE_ENTRY
+0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x82261b70 - 0x82261b70 ]
+0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ]
+0x018 DllBase : 0xf89f2000
+0x01c EntryPoint : 0xf89f3ed8
+0x020 SizeOfImage : 0x7000
+0x024 FullDllName : _UNICODE_STRING ""
+0x02c BaseDllName : _UNICODE_STRING "80000002.sys"
+0x034 Flags : 0x1004000
+0x038 LoadCount : 1
+0x03a TlsIndex : 0
+0x03c HashLinks : _LIST_ENTRY [ 0xffffffff - 0x7aff ]
+0x03c SectionPointer : 0xffffffff
+0x040 CheckSum : 0x7aff
+0x044 TimeDateStamp : 0xfffffffe
+0x044 LoadedImports : 0xfffffffe
+0x048 EntryPointActivationContext : (null)
+0x04c PatchInformation : 0x00300038

B-boy/StyLe/ wrote:
windbreaker11 wrote:vbma*** is not ZeroAcces - it is KillAV.D.

vbma*.sys is a variant of Win32/Rootkit.Agent.NTT trojan or Rootkit.Win32.Agent.bjqb 1 ;)

Here it is one new Trojan.KillAV.D

Image


Regards,
G. ;)

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Rootkit ZeroAccess (aka MAX++)

Post by PX5 » Sun Mar 20, 2011 12:04 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: Rootkit ZeroAccess (aka MAX++)

Post by PX5 » Mon Mar 21, 2011 2:15 pm

You do not have the required permissions to view the files attached to this post.
Arrogance led me to my Ignorance

shaheen
Posts: 35
Joined: Wed Jun 09, 2010 11:08 pm

Re: Rootkit ZeroAccess (aka MAX++)

Post by shaheen » Thu Mar 24, 2011 1:14 am

Just want to know few things:

1- Which anti-rootkit applications can detect this currently?

2- Can it bypass VM?

Thanks

Post Reply