[unixfreaxjp]

Sirefef resurrected, date stamp 20/03/2014

Allow me to ask: The previous method to kill this botnet can be applied to fight him also in this round too, yes?
For security purpose you don't have to answer it if "yes".

[EP_X0FF]

As long as this botnet have infrastructure over p2p it can be disrupted. ZeroAccess waited few months and resurrected as I believe in "test" mode (only one plugin in network) to see how quick the MS response may be delivered/created.

[unixfreaxjp]

I don't know ZA the "botnet" part well like you folks. I respect what you all did, cool work.
But he's lurking.. since the infra is there, as per afraid of http://www.kernelmode.info/forum/viewto ... 490#p21817
Let's nail his ID, and compile a crime case to LE friends,
off list discussion is OK? Let's work it out. We can do this!

rgds

[flyroom]

Another plugin seen on ZeroAccess with port 16470

800000CB.7z

ZeroAccess 16470 Plugin password: infected
(20.81 KiB) Downloaded 56 times

[EP_X0FF]

Is it currently in zeroaccess network? I'm asking because this is old z00clicker from oct 2013.

[flyroom]

Is it currently in zeroaccess network? I'm asking because this is old z00clicker from oct 2013.

No, this plugin is not in za v2 now. From my latest crawling of za v2, there're only three functional plugins

[flyroom]

Updating in progress, another new plugin today, spreads on 16464 branch
btw, the plugin 800000CB on 16470 branch uploaded yesterday just disappeared, seems deleted by botmaster

80000001_16464.7z

password: infected
(7.62 KiB) Downloaded 72 times

[EP_X0FF]

It is 6 month old plugin from aug 2013.
I don't see anything new except two clickfraud modules.

[AronPX]

Does anyone have new sample of za?

[thisisu]

Does anyone have new sample of za?

Have a PC now with ZA that contains *etadpug service. Is that still newest variant?