ZeroAccess Rootkit Latest in Line of x64 Malware to Appear

Never ones to be left behind as progress marches on, attackers are beginning to develop more and more tools aimed specifically at exploiting 64-bit machines. The latest entry into the field is an x64 version of the ZeroAccess rootkit, a nasty piece of malware that’s been circulating for some time and has a number of interesting capabilities, including anti-forensics and kernel-level monitoring.

64 Bit rootkitNever ones to be left behind as progress marches on, attackers are beginning to develop more and more tools aimed specifically at exploiting 64-bit machines. The latest entry into the field is an x64 version of the ZeroAccess rootkit, a nasty piece of malware that’s been circulating for some time and has a number of interesting capabilities, including anti-forensics and kernel-level monitoring.

The new version of ZeroAccess, which also is known as Max++, is not all that different from previous iterations, in that it’s designed to remain persistent on infected machines via rootkit hooks burrows down into the lower levels of the operating system. The malware typically is installed on users’ machines via drive-by downloads that aim to exploit any one of a number of known vulnerabilities, often bugs in Adobe Reader or Java.

Once the malware is on a machine, it will perform a check to see what the specifications are of the PC. Specifically, it looks at whether it is on an x64 machine and if so, then it will load a module that contains a dropped designed just for that platform, according to an analysis by Kaspersky Lab researcher Vasily Berdnikov.

“Most interesting of all is when the downloader is run on an x64 system.
This results in a dropper specially compiled for x64 systems being
downloaded to the victim’s computer. This dropper does not contain a
rootkit. It is usermode malware that replicates the behavior of an x32
rootkit except that its components are files and are stored in
“$windirassembly” with similar directory structures. Autorun on x64
systems is provided by the registry key
“HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession
ManagerSubSystems”. The body of the dropper is placed in the system32
folder under the name consrv.dll. All the modules that the dropper
downloads following its own installation are also designed for 64-bit
platforms,” the analysis says.

Just last week researchers also came across a 64-bit rootkit that’s being used by attackers to steal online banking credentials, mainly in Brazil. That rootkit also has the ability to disable some key Windows components, including the User Account Control security mechanism.

The ZeroAccess rootkit that’s circulating now has the ability to download a menu of other modules, as well, including a component that will hijack search results.

Suggested articles