Already since a month ago ZeroAccess was updated. As we remember in previous versions it contained rootkit with VFS functionality and also modern self-defence method from AV-scanners. Also it infected drivers by hijacking it file from disk.
After that version with ring0-rootkit, rootkit was deleted from malware droppers [and seems from malware project too]. In this version malware guys changed the technique of active infection, targeting it to user mode whole. It uses this run key for autostart:
Also you can check it presence by files/directories:
C:\WINDOWS\assembly\GAC\Desktop.ini
C:\WINDOWS\Installer\{UUID}\@
C:\WINDOWS\Installer\{UUID}\n
C:\WINDOWS\Installer\{UUID}\L\
C:\WINDOWS\Installer\{UUID}\U\
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}\L
C:\Documents and Settings\User\Local Settings\Application Data\{UUID}\U
Currently, they changed tactics again. Now ZeroAccess has cross-platform file-infector. As infector, it targeted to system file - services.exe, look http://en.wikipedia.org/wiki/Service_Control_Manager.
It infects this file in x32 as well as x64.
x32 Infected services has view:
As you can see shellcode was injected to ScRegisterTCPEndpoint function.
Moreover, ZeroAccess stores loader of main payload in ExtendedAttribute of file (additional NTFS attribute).
Shellcode from ScRegisterTCPEndpoint reads Ea to buffer and transfers control to it. In Ea stores another shellcode - miniloader and PE file - dll.
Shellcode from ScRegisterTCPEndpoint transfers execution to shellcode from Ea.
Shellcode from Ea has view:
It main purpose - extract dll from Ea and load it.
Dropper:
MD5: c6e73a75284507a41da8bef0db342400
SHA1: 23e1f3a819e4e4af58c4a6d5eb489b90ebd7ae8f
And of course AV-guys were fast as possible :(
posted by https://twitter.com/artem_i_baranov
Add a comment