[EP_X0FF]

ZeroAccess (aka Sirefef) common information.

Multi-component family of malware that uses stealth to hide its presence on your computer. Due to the nature of this threat, the payload may vary greatly from one infection to another, although common behavior includes:

• Downloading and executing of arbitrary files
• Contacting remote hosts
• Disabling of integrated Windows security features

Payload: clickfraud, bitcoin mining.
Features: p2p engine for botnet organization.

ZeroAccess timeline, thanks to rin.

• Summer 2009
  Intiial first rootkit version found ITW. Initially known as "win32k router" rootkit. Reparse points used for "kill av" purposes, actually kills everything what is trying to touch rootkit data.
  
  See MMPC encyclopedia entry (updated in 2011)
  Trojan:Win32/Sirefef.A
  
  Virus Bulletin: A journey into the Sirefef packer: a research case study
  Article at Virus Bulletin
• July - August 2009
  Firstly mentioned by a_d_13 at sysinternals and DiabloNova (EP_X0FF) at rootkit.com, rootkit gets it name MaxPlus from name of device it used "\Device\__max++>".
• End of 2009
  Russian ransomware Digitala/GetAccelerator equipped with Sirefef.A found in the wild. Original TDL3 based malware with z00clicker dll found in the wild.
• Beginning of 2010
  Second rootkit version arrived. Reimplemented in many ways. Sirefef already established botnet. Actual name "ZeroAccess" retrieved from pdb string found inside driver body.
  
  Reverse-engineered by Giuseppe Bonfa aka Evilcry
  Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware Rootkit
• May 2011
  Sirefef got x64 backdoor and big update for B version with new way of storing payload at disk and kill av module as separate driver, meaning it is in beta stage.
  z00clicker now used by Sirefef and updated to V2
  
  See Kaspersky blogpost about x64 backdoor
  MAX++ sets its sights on x64 platforms
  
  Sirefef "Kill AV" feature initially posted here
  
  Prevx blogpost describing the same stuff
  ZeroAccess Rootkit Guards Itself with a Tripwire
  
  Prevx blogpost describing new way of storing payload
  ZeroAccess Gets Another Update
• Later 2011 Summer
  Sirefef have incorporated killav plugin in main driver. In the wild found ZeroAccess plugin targetting TDL4 and TDL3 clones. Later the same year they removed from driver killav feature.
  
  Prevx found TDL4 killing plugin, mislabeled it as TDL3
  TDL3 and ZeroAccess: More of the Same?
  
  AVG blogpost about ZeroAccess dropper
  ZeroAccess’s trick - A wolf in sheep’s clothing
• End of 2011
  ZeroAccess start using Adobe FlashPlayer dll spoofing during installation.
  
  Blogpost from McAfee
  ZeroAccess Rootkit Launched by Signed Installers
  
  Kindsight article about ZeroAccess, describing P2P protocol V1 (pdf)
  Botnet: ZeroAccess/Sirefef
• March 2012
  Symantec writeup about ZeroAccess (pdf)
  Trojan.ZeroAccess Infection Analysis
  
  Sophos writeup about ZeroAccess (pdf)
  ZeroAccess
• May - Summer 2012
  Sirefef did major shift in distribution strategy removed rootkit as primary component and pushing few new variants described here on this forum in topic ZeroAccess (alias MaxPlus, Sirefef), p2p protocol updated to V2, z00clicker now V3.
  
  Sophos writeup about new user mode backdoor
  Major shift in strategy for ZeroAccess rootkit malware, as it shifts to user-mode
• September 2012
  Sophos writeup about ZeroAccess (pdf), partially describing P2P protocol V2 <- one of the best available articles about ZeroAccess
  The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain
• February 2013
  Win32/Sirefef detection and removal is now included in MSRT.
  MSRT February 2013 – Sirefef
  
  See this post for more details and removal guide.

All mentioned PDF files attached to the post, no pass.

****************************************************************************************

Original post below.

Infects (replaces) system drivers.
Injects dll into address space of some trusted processes. Actively counteracts detection (stealing driver objects of disk.sys
and pci.sys) and removal. Driver install ImageLoad notification and performing IRP hooking for disk storage driver (disk.sys).
Payload dll performing a lot of modifications in user mode (splicing).

Previous generation of this rootkit was acting like file system redirector, killing detection software when it is trying to access
rootkit data.

VirusTotal
http://www.virustotal.com/analisis/d224 ... 1268574110

MD5
d8f6566c5f9caa795204a40b3aaaafa2

SHA1
d0b7cd496387883b265d649e811641f743502c41

[ConanTheLibrarian]

I have yet to see any applications that are commercially free that will detect and remove this. By commercially free I mean free for use without restrictions by companies for profit.

[gjf]

Could you please provide more info concerning detection and removal? I know VBA32 removes it, but nope concerning detection specs and some other tools to help.

[EP_X0FF]

Hello,

Could you please provide more info concerning detection and removal?

It can be detected by public version of Rootkit Unhooker. Due to rootkit technology it steals disk.sys and pci.sys driver objects. These drivers double-listed by RkU. Also it has unknown image notify callback.
I've tried the following removal - overwrite replace driver with original (sometimes even simple copy-paste works) and reset system.
Typically antirootkits will not show you faked driver, because they only show discrepancies between file system data and raw disk data (files that hidden from API enumeration).

[gjf]

Dear All!

Could you please help in analysis of the following:
hxxp://www.mediafire.com/?wgxtxmyybiy
hxxp://www.mediafire.com/?zzjmjmzorln
(possibly the same just repacked versions)

What is this - it's a malware which locks the Windows requesting sms for unlocking. We have a huge amount of such malwares in the beginning of this year.

What is interesting:
1. The malware detects virtualization and doen't install (tested under VMWare 7.0.1 build-227600 - so that's why I cannot analyze it by myself and asking for your help).
2. It installs and hides system driver under name "\??\C2CAD972#4079#4fd3#A68D#AD34CC121074\b48dadf8.sys" or something like that patching some active system driver. The original driver is stored under crypted name.
3. It locks Windwos etc :)

Now the main way to remove this malware is to run the built-in uninstall procedure. But it is very interesting to know what to do if such procedure is omitted :)

Possibly I will present all versions of this locker so we can investigate the changes from version to version. If it will be found interesting of course.

[Tuanloc]

What is the Password to extract this file?

[gjf]

Oh, sure. The password is virus

[Tuanloc]

You can upload the virus to http://www.threatexpert.com.
They will reply the result after 2 minutes.

[EP_X0FF]

Hello,

you can try use Desktops from SysInternals.
Set it before running sample and then switch desktop.
I doubt that this malware has something against this.

Regards.

[gjf]

EP_X0FF,

Possibly you understood me incorrectly. I am not asking about way how to cure this infection. Actually I know that (calling built-in uninstaller). I am talking now about the way this malware hides itself and how to remove it if the present version will be developed.

In real life I cannot work at all after infection because of locking - so I cannot install use Desktops. Sure, I can install Desktops and use it forever as defense tool, but it is not the way we are talking about.

Consequently, I cannot use Desktops for analysis because I cannot risk my working system at present time - and virtualization does not work. That's why I have posted this subj exepecting someone more experienced will help. Moreover it could be of interest taking into account our topic here.