Page 1 of 38

Rootkit ZeroAccess (alias MaxPlus, Sirefef)

Posted: Sun Mar 14, 2010 1:43 pm
by EP_X0FF
ZeroAccess (aka Sirefef) common information.

Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of integrated Windows security features
Payload: clickfraud, bitcoin mining.
Features: p2p engine for botnet organization.

ZeroAccess timeline, thanks to rin.
All mentioned PDF files attached to the post, no pass.

****************************************************************************************

Original post below.
Infects (replaces) system drivers.
Injects dll into address space of some trusted processes. Actively counteracts detection (stealing driver objects of disk.sys
and pci.sys) and removal. Driver install ImageLoad notification and performing IRP hooking for disk storage driver (disk.sys).
Payload dll performing a lot of modifications in user mode (splicing).

Previous generation of this rootkit was acting like file system redirector, killing detection software when it is trying to access
rootkit data.

VirusTotal
http://www.virustotal.com/analisis/d224 ... 1268574110

MD5
d8f6566c5f9caa795204a40b3aaaafa2

SHA1
d0b7cd496387883b265d649e811641f743502c41

Re: Rootkit ZeroAccess (aka MAX++)

Posted: Mon Mar 15, 2010 2:38 pm
by ConanTheLibrarian
I have yet to see any applications that are commercially free that will detect and remove this. By commercially free I mean free for use without restrictions by companies for profit.

Re: Rootkit ZeroAccess (aka MAX++)

Posted: Mon Mar 15, 2010 3:46 pm
by gjf
Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.

Re: Rootkit ZeroAccess (aka MAX++)

Posted: Mon Mar 15, 2010 4:30 pm
by EP_X0FF
Hello,
gjf wrote:Could you please provide more info concerning detection and removal?
It can be detected by public version of Rootkit Unhooker. Due to rootkit technology it steals disk.sys and pci.sys driver objects. These drivers double-listed by RkU. Also it has unknown image notify callback.
I've tried the following removal - overwrite replace driver with original (sometimes even simple copy-paste works) and reset system.
Typically antirootkits will not show you faked driver, because they only show discrepancies between file system data and raw disk data (files that hidden from API enumeration).

WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 12:14 pm
by gjf
Dear All!

Could you please help in analysis of the following:
hxxp://www.mediafire.com/?wgxtxmyybiy
hxxp://www.mediafire.com/?zzjmjmzorln
(possibly the same just repacked versions)

What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwares in the beginning of this year.

What is interesting:
1. The malware detects virtualization and doen't install (tested under VMWare 7.0.1 build-227600 - so that's why I cannot analyze it by myself and asking for your help).
2. It installs and hides system driver under name "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\b48dadf8.sys" or something like that patching some active system driver. The original driver is stored under crypted name.
3. It locks Windwos etc :)

Now the main way to remove this malware is to run the built-in uninstall procedure. But it is very interesting to know what to do if such procedure is omitted :)

Possibly I will present all versions of this locker so we can investigate the changes from version to version. If it will be found interesting of course.

Re: WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 12:58 pm
by Tuanloc
What is the Password to extract this file?

Re: WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 1:10 pm
by gjf
Oh, sure. The password is virus

Re: WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 1:48 pm
by Tuanloc
You can upload the virus to http://www.threatexpert.com.
They will reply the result after 2 minutes.

Re: WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 1:52 pm
by EP_X0FF
Hello,

you can try use Desktops from SysInternals.
Set it before running sample and then switch desktop.
I doubt that this malware has something against this.

Regards.

Re: WinLocker with some rootkit technology

Posted: Wed Mar 17, 2010 2:25 pm
by gjf
EP_X0FF,

Possibly you understood me incorrectly. I am not asking about way how to cure this infection. Actually I know that (calling built-in uninstaller). I am talking now about the way this malware hides itself and how to remove it if the present version will be developed.

In real life I cannot work at all after infection because of locking - so I cannot install use Desktops. Sure, I can install Desktops and use it forever as defense tool, but it is not the way we are talking about.

Consequently, I cannot use Desktops for analysis because I cannot risk my working system at present time - and virtualization does not work. That's why I have posted this subj exepecting someone more experienced will help. Moreover it could be of interest taking into account our topic here.