InfoSec Cracks Open ZeroAccess Rootkit to Find Unique Features

Security researchers at InfoSec Institute took apart the ZeroAccess rootkit and found two weaknesses that would disable its ability to run in stealth mode.

Researchers at InfoSec Institute deconstructed ZeroAccess, a sophisticated and advanced rootkit that downloads even more malware onto affected systems.

The step-by-step instructions for reverse engineering ZeroAccess were posted by InfoSec to expose the weaknesses that the "good guys" can use to design security products that can "detect and remove" the rootkit from compromised systems, Jack Koziol, program manager at InfoSec Institute, told eWEEK. Two main weaknesses were found in the ZeroAccess device drivers that can be used to remove or compromise the rootkit's ability to run in stealth mode, he said.

Symantec estimated that approximately 250,000 systems worldwide have ZeroAccess installed, related Koziol. While the number isn't in the millions, like some other Web threats, ZeroAccess gives the criminals the ability to launch "very targeted" attacks and to harvest any type of data, he said.

ZeroAccess is currently pushing fake anti-virus software with names like "Wireshark Antivirus, which has no relationship to Wireshark, the popular open-source network protocol analyzer tool. Users are prompted with fake malware warning messages and encouraged to download the antivirus software, usually for $70. If only 10 percent of affected users fall for the scam, that's more than a million dollars of revenue straight in to the criminals' pockets.

According to Melih Abdulhayoglu, CEO and chief security architect of security company Comodo, criminals can "easily" make $160 million a year selling fake anti-virus software.

The developers who created ZeroAccess were "very smart," in that they used various "creative" low-level methods that made it almost impossible to remove the malware without somehow damaging the host operating system, said Koziol. The rootkit uses device drivers to create hidden volumes on the hard drive that are virtually impossible to detect using normal techniques. The hidden partition is still there even if data is deleted or if the volume is formatted.

The rootkit "has low level disk access that allows it to create new volumes that are totally hidden from the victim's operating system and anti-virus," wrote Giuseppe Bonfa, the InfoSec researcher who deconstructed ZeroAccess.

The hidden volume tactic is "unique," and ZeroAccess is currently the only one that is advanced enough to do this, according to Koziol.

InfoSec researchers traced the rootkit's origins to sites hosted by Ecatel Network, which is controlled by the cyber-crime gang Russian Business Network, Koziol said. RBN accounts for more than 20 percent of the spam created per day, and it is known as a big distributor of fake anti-virus software, prompting Verisign to call them the "baddest of the bad," according to Koziol.

However, security researchers at antivirus provider ESET downplayed the connection, saying it was only "possible" that the "bad site" was under RBN's control.

ZeroAccess by itself doesn't do any data collection or active damage to the host. It is a platform that cyber-criminals can use to install whatever crimeware they are pushing that day, said Koziol. If the "flavor of the month" is to steal financial data, the criminals can start distributing the Zeus Trojan to compromised boxes.

"They switch to whatever will make them the most money," Koziol said.

ZeroAccess is currently not self-replicating, but there is nothing stopping the cyber-criminals from pushing software that would make systems infect other computers in the local network or turn compromised systems into Web servers to distribute more malware, said Koziol.

Users can be infected with ZeroAccess via "drive-by download" from a compromised site, said Koziol. The Web site can be a distribution point like a torrent site or a link from a spam e-mail. If the user's browser is vulnerable, then ZeroAccess will automatically download. The rootkit is "cunning" enough that if the browser is patched and it can't download and install itself, it will pop up a message saying, "Would you like to download this file?" and trick the user that way, said Koziol.

InfoSec offers IT professionals training courses on reverse engineering malware, said Koziol. The goal is to provide to IT administrators the tools and techniques they can use to "help them discover who is attacking them," he said.

One of the malware researchers was putting together materials for the course when he noticed some of the unique features in ZeroAccess, according to Koziol.