[EP_X0FF]

Does anyone have new sample of za?

Have a PC now with ZA that contains *etadpug service. Is that still newest variant?

If you mean "Google"/Desktop service version, I didn't noticed any new ZA droppers. They pushed click-fraud module in 2014 and nothing more, ZA is still half-dead.

[EP_X0FF]

One of the last available Sirefef droppers just before it takedown. Google/etadplug variant.

MD5 46f004fb9cdd93167dc0ac339d436286
SHA1 d38deb27b0da125881af78b258434ee752a7b5dd
SHA256 8c575bd3c91b7679995e485166606f96b3e51357006344f6b75646afa65aa068
https://www.virustotal.com/en/file/8c57 ... /analysis/

TimeDateStamp of dropper body (after crypter) 04/12/2013 23:16:14

Dropper+decrypted+extracted modules in attach

[kmd]

ZeroAccess Botnet: Is It Preparing Its Next Attack?
http://www.zonealarm.com/blog/2014/06/z ... xt-attack/

[EP_X0FF]

ZeroAccess Botnet: Is It Preparing Its Next Attack?
http://www.zonealarm.com/blog/2014/06/z ... xt-attack/

Marketing bullshit. Nothing changed since December. It is dying.

p.s.
The key of this article

Being vigilant about what you do online, as well as equipping your PC with updated [ url ]security software [/ url], will help you stay safe online.

where url is hxxp://www.zonealarm.com/security/en-us/computer-security.htm
very fun.

[R136a1]

Hi folks,

I have found a new year present from ZeroAccess author(s). This fresh variant comes in form of a dropper which contains the encrypted payload inside a .png file in the resource section.
-> see Zeroaccess_2016 (attached)

Last year around the same time an earlier (unencrypted) sample of this variant appeared in the wild which used a new UAC bypass method. This method was later adopted by H1N1 loader: https://github.com/hfiref0x/UACME/blob/ ... /hybrids.c
-> see Zeroaccess_2014 (attached)

Details will follow soon...

[EP_X0FF]

No WHITEFLAG :) In attach lowest level dropper and resources from it (classical Cabinet instead of Aplib used).

Uses NTFS junction and "." in the folder name to protect against removal. Deeper level dropper based on "Google" variant from 2013. Investigation continues :)

[EP_X0FF]

Components from 944e4fd798a8d74379c5794ee0a9090547bf2da60fa629d458b2247a82d6bedb (dated back December 2014).

Payload (both x64-x86), data files.

[EP_X0FF]

Brief analysis summary:

1) This variant dated back to 2014 year. One year after shutdown Sirefef already have a new version.
2) Dropper complicated and multistaged. Well like in previous variants.
3) Dropper uses effective UAC bypass (UACME #14). It doesn't work however under Windows 10 TH2 and Redstone builds.
4) No KnownDlls injection - instead it starts itself as service and injects kernel dll (k32/k64) into svchost and later in processes with network access (explorer.exe for example).
5 ) It uses new self-protection methods - hiding it files into juction protected folder which is not accessible for Win32 API.
6) Kernel dlls masqueraded as comres.dll (Windows Ldr entry hijack) in affected applications.
7) Embedded Windows 8/10 Windows Defender capable of detecting this malware in runtime and removing it, but I think it is only because this particular sample lacks obfuscation.

[rinn]

Hi.

NtOpenFile ( ... GENERIC_ALL ...), NtSetInformationFile(... FileRenameInformation ...); NtClose; - Shift+Del :) Also closing it handles inside svchost.exe result in delayed reboot.

Best Regards,
-rin

[Phant0m]

Anyone found from where this being pushed ? spam or EK ?