A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #107  by EP_X0FF
 Sun Mar 14, 2010 1:43 pm
ZeroAccess (aka Sirefef) common information.

Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:
  • Downloading and executing of arbitrary files
  • Contacting remote hosts
  • Disabling of integrated Windows security features
Payload: clickfraud, bitcoin mining.
Features: p2p engine for botnet organization.

ZeroAccess timeline, thanks to rin.
All mentioned PDF files attached to the post, no pass.


Original post below.
Infects (replaces) system drivers.
Injects dll into address space of some trusted processes. Actively counteracts detection (stealing driver objects of disk.sys
and pci.sys) and removal. Driver install ImageLoad notification and performing IRP hooking for disk storage driver (disk.sys).
Payload dll performing a lot of modifications in user mode (splicing).

Previous generation of this rootkit was acting like file system redirector, killing detection software when it is trying to access
rootkit data.

http://www.virustotal.com/analisis/d224 ... 1268574110


no pass
(1.54 MiB) Downloaded 129 times
no pass
(1.22 MiB) Downloaded 88 times
no pass
(2.54 MiB) Downloaded 87 times
no pass
(968.57 KiB) Downloaded 99 times
2010 year dropper, pass: malware
(57.63 KiB) Downloaded 613 times
 #174  by ConanTheLibrarian
 Mon Mar 15, 2010 2:38 pm
I have yet to see any applications that are commercially free that will detect and remove this. By commercially free I mean free for use without restrictions by companies for profit.
 #181  by gjf
 Mon Mar 15, 2010 3:46 pm
Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.
 #186  by EP_X0FF
 Mon Mar 15, 2010 4:30 pm
gjf wrote:Could you please provide more info concerning detection and removal?
It can be detected by public version of Rootkit Unhooker. Due to rootkit technology it steals disk.sys and pci.sys driver objects. These drivers double-listed by RkU. Also it has unknown image notify callback.
I've tried the following removal - overwrite replace driver with original (sometimes even simple copy-paste works) and reset system.
Typically antirootkits will not show you faked driver, because they only show discrepancies between file system data and raw disk data (files that hidden from API enumeration).
 #263  by gjf
 Wed Mar 17, 2010 12:14 pm
Dear All!

Could you please help in analysis of the following:
(possibly the same just repacked versions)

What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwares in the beginning of this year.

What is interesting:
1. The malware detects virtualization and doen't install (tested under VMWare 7.0.1 build-227600 - so that's why I cannot analyze it by myself and asking for your help).
2. It installs and hides system driver under name "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\b48dadf8.sys" or something like that patching some active system driver. The original driver is stored under crypted name.
3. It locks Windwos etc :)

Now the main way to remove this malware is to run the built-in uninstall procedure. But it is very interesting to know what to do if such procedure is omitted :)

Possibly I will present all versions of this locker so we can investigate the changes from version to version. If it will be found interesting of course.
 #268  by EP_X0FF
 Wed Mar 17, 2010 1:52 pm

you can try use Desktops from SysInternals.
Set it before running sample and then switch desktop.
I doubt that this malware has something against this.

 #270  by gjf
 Wed Mar 17, 2010 2:25 pm

Possibly you understood me incorrectly. I am not asking about way how to cure this infection. Actually I know that (calling built-in uninstaller). I am talking now about the way this malware hides itself and how to remove it if the present version will be developed.

In real life I cannot work at all after infection because of locking - so I cannot install use Desktops. Sure, I can install Desktops and use it forever as defense tool, but it is not the way we are talking about.

Consequently, I cannot use Desktops for analysis because I cannot risk my working system at present time - and virtualization does not work. That's why I have posted this subj exepecting someone more experienced will help. Moreover it could be of interest taking into account our topic here.
  • 1
  • 2
  • 3
  • 4
  • 5
  • 38