Risk Assessment: Home Low | Corporate Low
Date Discovered: 8/16/2011
Date Added: 8/16/2011
Origin: N/A
Length: varies
Type: Trojan
Subtype: Rootkit
DAT Required: 6440
Virus CharacteristicsZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it overwrite Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk.
ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described below:
NOTE: A detailed description of this malware can be found on our Threat Advisory page here.
The following files are changed or created by the malware:
The rootkit will create a file with a random name in %SYSTEMROOT%\system32\config\[random] or c:\windows\prefetch\[random]. This file will be used to store a virtual encrypted file system, used by the rootkit to store its configuration files and other supporting files.
Some recent variants are creating a hidden folder named c:\windows\$NtUninstallKB[random]$ to store its files.
ZeroAccess will then patch a randomly chosen system driver file. The patched file will be used as the rootkit’s restart mechanism to load its malicious kernel component when the system boots.
The malware will create a trip-wire file which will be monitored to detect security tools scanning the system. Any process touching this file will be terminated. The file may be created as a system device or as an ADS (Alternate Data Stream) as follows:
\\??\Global\systemroot\system32\svchost.exe\svchost.exe
%SYSTEMROOT%\[random]:[random].exe
(where %SYSTEMROOT% represents the folder where Windows is installed, usually C:\Windows)
The following registry keys are changed or created: The malware then creates a service, and points the service's ImagePath key to the file above, to run it every time the system boots. The following is an example of such key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Type: 0x00000001
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\Start: 0x00000003
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\54e61bbc\ImagePath: "\systemroot\3155945044:2870600771.exe"
It may also create the following key:
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{f8cec7e5-22d1-631d-b463-054fb5b74060}
In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files (by modifying its DACL) and install an Image File Execution Option to disable execution of the file. This action is an attempt to disable security related tools and components.
Network ActivityZeroAccess will report its installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.
After infection, the malware will report installation and system activity using HTTP requests. These requests are usually made to destination port 80 but some variants also use port 8083 to communicate.
The requests have the following characteristics:
GET /stat2.php?w=46&i=d5d6a3459af7a34558e98254eb873a62&a=11 HTTP/1.1
Host:
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)
GET /bad.php?w=109&fail=0&i=d5d6a3459af7a3457ce3916737df5160 HTTP/1.1
Connection: keep-alive
Host:
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)
The following user-agent may also be used:
GET /%s HTTP/1.0
Host: %s
User-Agent: NSIS_Inetc (Mozilla)
During our test replication, the following IP addresses were contacted by the malware:
95.64.46.44
193.105.154.210
69.50.212.157
85.17.226.180
Rootkit BehaviorThe rootkit component of ZeroAccess utilizes an advanced method for protecting itself and disabling any security tool trying to detect and remove it.
When a security tool tries to access the monitored file on disk or the service process in memory, the rootkit identifies the access attempt, triggering its protection system.
The protection consists of killing the process from kernel mode, making it effective against any type of security tool.
The rootkit also hooks some system APIs, an example of such hooks are shown below as depicted in the log by the publicly available GMER tool:
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IoReuseIrp + 8B 804EE879 7 Bytes CALL F60880F5
.text atapi.sys F850384D 7 Bytes CALL F60838F0
.text mrxsmb.sys F6D93000 107 Bytes [06, 0F, 83, 2D, B5, 00, 00, ...]
.text mrxsmb.sys F6D9306C 101 Bytes [EC, 8B, 45, 08, 8B, 40, 40, ...]
.text mrxsmb.sys F6D930D2 52 Bytes CALL 386296E7
.text mrxsmb.sys F6D93107 31 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text mrxsmb.sys F6D93127 42 Bytes [F6, 42, 08, 80, 0F, 84, C5, ...]
…
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalGetAdapter] 840FFC4D
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!IoWritePartitionTable] 00008258
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalDisplayString] 0F01FE83
Back to Top
Source:
http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=562354#
