A new exploit pack has appeared on the scene in the last week or so and it already is causing trouble for users, with thousands of compromised Web sites redirecting users to a page that is hosting the pack and exploiting vulnerabilities on their machines to install malware.
ZeroAccess is a relatively new Trojan, but it’s not unlike many of its predecessors in that it is meant to remain hidden on users’ PCs and gather confidential information and ship it off to a remote attacker. ZeroAccess has some rootkit-like capabilities that enable it to hook the operating system at a low level and remain persistent on the infected machine after reboots and attempts to remove it.
In conjunction with the appearance of the Nice Pack exploit kit, SecureWorks researchers said they also have seen an increase in attacks by ZeroAccess in recent weeks. Nice Pack, like other exploit kits, takes a broad-based approach in its efforts to compromise as machines as possible, firing off exploits against a menu of applications.
“It is exploiting vulnerabilities in various versions of Java, Flash and Adobe. If successful, it is downloading a newer Trojan in the malware market, one which we have just seen in the news since the second quarter of this year. It is called ZeroAccess Trojan, and it does have rootkit capability,” Ben Feinstein, director of operations and analysis for the SecureWorks CTU, said. “Coincidentally, in the past week, the CTU has detected many attempted attacks by the ZeroAccess Trojan, across a wide range of industry verticals including financial, healthcare, education, utilities and manufacturing, which would indicate that it is being used in a broad- based attack, mounted by a Web Based Exploit Kit.”
The company said that it has seen approximately 16,000 compromised pages that are redirecting users to the site that’s hosting the Nice Pack exploit kit.