Dissecting the ZeroAccess Rootkit

The ZeroAccess rootkit isn’t the most well-known or closely watched piece of malware in recent history, but, as an extremely detailed new analysis of the program shows, it is a perfect example of the kind of sophisticated malware that attack crews are using to maintain persistent, silent access to compromised machines.

The ZeroAccess rootkit isn’t the most well-known or closely watched piece of malware in recent history, but, as an extremely detailed new analysis of the program shows, it is a perfect example of the kind of sophisticated malware that attack crews are using to maintain persistent, silent access to compromised machines.

ZeroAccess is being used as a platform for installing other malicious software on infected PCs and is part of a scheme to install rogue AV programs and solicit payments for removal. The rootkit is a particularly nasty and intractable one, and has the ability inject itself into various device drivers and processes and sits at the lowest level of the software stack, according to an analysis of ZeroAccess by Giuseppe Bonfa of the InfoSec Institute. The massive four-part analysis of ZeroAccess takes the rootkit apart bit by bit and shows the tactics that it uses to infect new machines, maintain its persistence and stay out of sight.

“InfoSec Institute would classify ZeroAccess as a sophisticated,
advanced rootkit. It has 4 main components that we will reverse in great
detail in this series of articles. ZeroAccess is a compartmentalized
crimeware rootkit that serves as a platform for installing various
malicious programs onto victim computers. It also supports features to
make itself and the installed malicious programs impossible for
power-users to remove and very difficult security experts to
forensically analyze,” Bonfa wrote.

“At the conclusion of the analysis, we will trace the criminal origins
of the ZeroAccess rootkit. We will discover that the purpose of this
rootkit is to set up a stealthy, undetectable and un-removable platform
to deliver malicious software to victim computers. We will also see that
ZeroAccess is being currently used to deliver FakeAntivirus crimeware
applications that trick users into paying $70 to remove the ‘antivirus.’
It could be used to deliver any malicious application, such as one that
steals bank and credit card information in the future.”

One of the tricks ZeroAccess uses is some low-level API calls to partition new disk volumes that the user can’t see. The rootkit also does kernel-level monitoring of processes in both kernel and user-space and has the ability to evade most in-memory forensic tools, as well, maling analysis and reverse engineering difficult.

The motive behind all of this stealthiness and clever engineering is, as one might expect, money. The ZeroAccess rootkit is being used as a platform for installing fake AV programs on infected machines as part of a campaign that demands victims pay a $70 fee to remove the unwanted software, Bonfa found. Many scareware or rogue AV programs are installed through either drive-by downloads or when users click on a dialog box on an infected Web site.

In the case of ZeroAccess, the rootkit uses a malicious DLL that starts a thread that eventually produces a couple of calls that communicate with a remote server and request the malicious code that installs the rogue AV software.

“We will discover that the purpose of this rootkit is to set up a
stealthy, undetectable and un-removable platform to deliver malicious
software to victim computers. We will also see that ZeroAccess is being
currently used to deliver FakeAntivirus crimeware applications that
trick users into paying $70 to remove the antivirus. It could be used to
delivery any malicious application, such as one that steals bank and
credit card information in the future,” Bonfa said in his analysis.

“This injected DLL serves the purpose of generating web redirections to
malicious websites that contain FakeAntivirus software. With fake AV software costing the victim anywhere from $30 to
$100, this is a lucrative earner for criminals.”

Indeed, rogue AV and scareware are absolute gold mines for the attackers on the other end. Many times, victims who pay the fee to allegedly remove the malware from their PCs find that the program either isn’t removed or that they are re-infected again quickly. These programs often are part of larger black hat SEO and SQL injection campaigns deployed by attack crews.

Suggested articles