Security researchers at InfoSec Institute took apart the ZeroAccess rootkit and found two weaknesses that would disable its ability to run in stealth mode.
Researchers at InfoSec Institute deconstructed ZeroAccess, a sophisticated
and advanced rootkit that downloads even more malware onto affected systems.
instructions for reverse engineering ZeroAccess
were posted by InfoSec to
expose the weaknesses that the "good guys" can use to design security
products that can "detect and remove" the rootkit from compromised
systems, Jack Koziol, program manager at InfoSec Institute, told eWEEK.
Two main weaknesses were found in
the ZeroAccess device drivers that can be used to remove or compromise the
rootkit's ability to run in stealth mode, he said.
Symantec estimated that approximately 250,000 systems worldwide have
ZeroAccess installed, related Koziol. While the number isn't in the millions,
like some other Web threats, ZeroAccess gives the criminals the ability to
launch "very targeted" attacks and to harvest any type of data, he
ZeroAccess is currently pushing fake
with names like "Wireshark Antivirus, which has no
relationship to Wireshark
the popular open-source network protocol analyzer tool. Users are prompted with
fake malware warning messages and encouraged to download the antivirus software,
usually for $70. If only 10 percent of affected users fall for the scam, that's
more than a million dollars of revenue straight in to the criminals' pockets.
According to Melih Abdulhayoglu, CEO and chief security architect of
security company Comodo, criminals can "easily" make $160 million a year
selling fake anti-virus software.
The developers who created ZeroAccess were "very smart," in that
they used various "creative" low-level methods that made it almost
impossible to remove the malware without somehow damaging the host operating
system, said Koziol. The rootkit uses device drivers to create hidden volumes
on the hard drive that are virtually impossible to detect using normal
techniques. The hidden partition is still there even if data is deleted or if
the volume is formatted.
The rootkit "has low level disk access that allows it to create new
volumes that are totally hidden from the victim's operating system and
anti-virus," wrote Giuseppe Bonfa, the InfoSec researcher who deconstructed
The hidden volume tactic is "unique," and ZeroAccess is currently
the only one that is advanced enough to do this, according to Koziol.
InfoSec researchers traced the rootkit's origins to sites hosted by Ecatel
Network, which is controlled by the cyber-crime gang Russian Business Network,
Koziol said. RBN accounts for more than 20
percent of the spam created per day, and it is known as a big distributor of fake
anti-virus software, prompting Verisign to call them the "baddest of the
bad," according to Koziol.
However, security researchers at antivirus provider ESET downplayed the
connection, saying it was only "possible" that the "bad
site" was under RBN's control.
ZeroAccess by itself doesn't do any data collection or active damage to the
host. It is a platform that cyber-criminals can use to install whatever
crimeware they are pushing that day, said Koziol. If the "flavor of the
month" is to steal financial data, the criminals can start distributing
the Zeus Trojan to compromised boxes.
"They switch to whatever will make them the most money," Koziol
ZeroAccess is currently not self-replicating, but there is nothing stopping
the cyber-criminals from pushing software that would make systems infect other
computers in the local network or turn compromised systems into Web servers to
distribute more malware, said Koziol.
Users can be infected with ZeroAccess via "drive-by download" from
, said Koziol. The Web site can be a distribution point like a torrent
site or a link from a spam e-mail. If the user's browser is vulnerable, then
ZeroAccess will automatically download. The rootkit is "cunning"
enough that if the browser is patched and it can't download and install itself,
it will pop up a message saying, "Would you like to download this
file?" and trick the user that way, said Koziol.
InfoSec offers IT professionals training courses on reverse engineering
malware, said Koziol. The goal is to provide to IT administrators the tools and
techniques they can use to "help them discover who is attacking
them," he said.
One of the malware researchers was putting together materials for the course
when he noticed some of the unique features in ZeroAccess, according to Koziol.