Revisiting the "ZeroAccess" rootkit and understanding why earlier variants continue to propagate on the Internet

Introduction



Welcome back! this week, I will be discussing the "ZeroAccess" rootkit, revisiting how it works, what can remove it, and why this piece of malware has seen a tremendous surge as of late, after having first been discovered in 2010! Briefly, the "ZeroAccess" rootkit is a "stealthy" piece of malware that usually installs itself, via a "drive-by-download" on the Internet or it's sometimes called in the hacking world "pharming". Some of these websites consist of javascript code written using, what programmers refer to as "shellcode" to take advantage of zero-day exploits in either the web-browser itself (something that has declined steadily over the last few years, because of sandboxed apps like Google Chrome) or Java and Adobe PDF! The exact "mechanism" is quite complicated and varies from machine to machine, generally unpatched XP, Vista, or Windows 7 machines are usually the BIGGEST targets (XP especially), because there are so many security holes them and more vulnerabilities just "lurking" around the corner. The "drive-by-method" is easily the most common "automated" way that ZeroAccess winds up on most machines. Statistically ZeroAccess and it's botnet variants have infected roughly ~800,000 to ~1,000,000 computers all over the world. This makes it significant threat and to compound the difficult it's "stealthy" rootkit. Why has it seen as resurgence as of late? The exact reason maybe "unknown", but this I would argue could be attributed to "potentially" new polymorphic variants in the TDL 3/4 family of rootkits or new zero-day vulnerabilities that have, yet to be discovered. I will get more into the "technical" details below, referencing a blog entry that was written by Webroot security expert (from two years ago) and from other observations, having had a family member remove it on a Vista machine recently! Lastly, I will make some conclusions about why one should keep their Windows machine patched on a consistent basis or consider running Windows inside VM's that are sandboxed instead ;-D. Let's begin with some technical details on ZeroAccess works. from a blog post from last year [1].

Technical details on how ZeroAccess works and infects Windows XP and 7 machines



Briefly rootkits can only operate in user-mode or kernel-level land. The later provides the attackers with more direct access to the Operating System, but is much more complicated write unless driver is manually built and signed with forged signature (this is especially true on X64 versions of Windows 7). ZeroAccess infects Windows XP machines in kernel-level land due to the fact that the drivers on most XP machines were NOT signed digitally and didn't have Kernel Guard protection at the time. You will probably more commonly see ZeroAccess infecting XP machines. On the flipside, 64-bit version that Windows 7 machines does so by infecting the Operating System in user-mode. It does this by attempting to hook common system drivers via other processes, such as explorer.exe or svchost.exe!. Once the rootkit is installed into a specific hidden sector in the MBR on the hard-drive it then attempts to send data back to the C&C Server by way of an RC4 stream cipher, in other words it contacts the botnet using this method. Those of you who aren't familiar with Encryption you should know that RC4 is a "stream cipher" and not a "block cipher", unlike AES and 3DES the most commonly used algorithms in most security applications today. RC4 is mentioned in most security textbooks though the algorithmic implementation of it is used for other types of applications. After the rootkit is on the machine it then attempts to download more trojan droppers mainly more malware and fakeAV scans. One thing that it should be noted that it does very well is that severely limits Access Control lists in Windows, so that you can't run common AV scans on a machine including other common tools like Malware Bytes! Keep that in mind if you have a machine that's infected, because even after you remove the rootkit you may need other tools that can bypass and restore ACL restrictions in Windows.


Windows Applications that can detect and remove the ZeroAccess Rootkit and sometimes the TDL family rootkits


Here is a moderate list of Windows Applications that can be used to remove ZeroAccess and "sometimes" variants of the TDL-3/4 family of rootkits!


  • TDSS Killer by Kaspersky Labs - Kaspersky Labs puts out new pieces of software, that can detect "new" polymorphic variants in TDL-3/4 family of rootkits. This includes, ZeroAccess, Alureon, etc. It requires little to no understanding on how to use (Note: Malware sometimes prevents TDSS Killer from running if it detects it). 
  • Malware Bytes - Everyone "favorite" piece of anti-malware software for Windows.  It requires little to no understanding on how to use and remove the rookit (it will detect it) (Note: Malware sometimes prevents Malware Bytes from running if it detects it).
  • RogueKiller by Tigzy - Rouge Killer can be used to "kill" ransomeware and other FakeAV scans and prevent the malware from executing temporarily or over specific period of time, long enough so that you can remove it. It requires "intermediate" skills in order to stop ZeroAccess with this tool (but it will detect it). 
  • GMER - a sophisticated piece of anti-rootkit software. It requires "intermediate" to "advanced" skills in order to remove ZeroAccess and family variants with this tool (you would need to unhook drivers and processes manually by yourself) [2]. 
  • Most Anti-Virus software - Most AV software, including Security Essentials, AVG, ESET, and Kaskpersky can "sometimes" detect most ZeroAccess and TDL family variants using improved heuristics. (Note: The rootkit is named differently by different vendors. With ESET for instance, it's referred to as 'Win32/Kryptik"). 

Conclusion


In conclusion, it can be seen that ZeroAccess can be quite a complicated rootkit to remove! It takes diligence and patience to remove it, if your one of the ~800,000 to ~1,000,000 people whose Windows XP or 7 machine it has infected! In order to avoid the same mistakes twice, one might want to STRONGLY consider running Windows inside a VM with a sandbox in the future and keeping your system patched and up to date! These are the two easiest and most effective ways to prevent the rootkit from infecting your machine in Windows. That's all for this week. I hope you found this lengthy entry on the ZeroAccess rootkit informative! I will be back next week with "potentially" a new law entry, revisiting the U.S vs. Fricosu (2011) and how that case will relate to future law cases surrounding fifth amendment and self-incrimination in the future (like with what we saw with Kim Dot Com "strategy") in the last post of my old blog. I hope everyone has a wonderful week ahead! Take care. ;-D


References:




1. Webroot Threat Blog. "ZeroAccess Rootkit Guards itself with a tripwire" http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/ accessed 07 Jan 2013. 8 July 2011
2. Ligh, Michael. et. al. Malware Analysts: Cookbook and DVD Tools for Fighting Malicious Code. Indiana. Wiley & Sons, 2010. pg. 359-363 ISBN-13: 9780470613030

Comments

Post a Comment

Popular posts from this blog

Encoding Opus files in Linux with opusenc for your own collection and HTML 5

Introduction Hello everyone! I am finally back to writing a new blog entry, after taking a very long month off. I hope all of my U.S readers had a great Fourth of July and are enjoying the summer. Today, I am going to be discussing and showing you how to encode with the the new IETF working audio codec called "Opus". Briefly, Opus is a combination of Xiph.org "CELT" codec and Skype's "SILK" codec combined into one project. It's a low-latency audio codec that was designed with "scalability" in mind and does things "fundamentally" different, even though it should sound the same if not better in different situations for speech and music. The project was finally completed this past winter and standardized and will be used in the new WebRTC project (for video conferencing), Skype (for video calls), and other companies that wish to use it. Google is NOW (as of July 2013) incorporating it, into the next generation codebase of WebM, wh
Read more

Encoding Vorbis files in Linux using oggenc for your own music collection and HTML 5

Introduction In today's topic, I will be showing readers different ways you can encode your music collection, if you just moved over to Linux from Windows using open source codecs! You do not have to encode your music files with Vorbis, due to the fact that MP3 is also supported in Linux and HTML 5, but there are some substantial benefits to doing in this day and age (at least from the perspective of an open-source nerd 8-)). The first is you don't have to worry about royalty's and licensing rates (especially if you are opening up a store for indie musicians). The second is that both objectively and subjectively Vorbis sounds substantially better and has been greatly improved with the help of dedicated "audiophiles" and the open source community, since it's first public release over a decade ago, way back in 2002. Today, I will show you some tips and tricks if you are new to encoding your music collection in Linux using the oggenc command-line program in Li
Read more

Transcoding H.264 files to Google's WebM format (VP8/Vorbis) in FFMPEG 0.6 or better using Linux for your own collection and HTML 5

Introduction Note: I want to stress that I DO NOT CONDONE using this guide to encode movies that are infringing upon international and local copyright laws (which include the WIPO Treaty in Europe and the DMCA in the U.S). These examples ASSUME your encoding material in which you OWN The RIGHTS too! I will not be held responsible for individuals that are using it to encode copyrighted material in those respective countries! If there are disputes about this or any other questions please DO NOT hesitate to contact me right away! Thank you. This week I am going to focus on showing you how to transcode videos to WebM, which is playable in both VLC and most HTML 5 compatible web browsers including Firefox, Chrome, Opera, and I.E 10! If you recall way back several months ago (if you had been following my old blog) I showed you some code snippets for how to encode directly to WebM using an older version of libvpx 0.6.1 code named "Bali", that came out last year, but has since be
Read more