ZeroAccess From Rootkit to Nasty Infection

Author	All Replies
Triple Helix Go Blue Jays Go Premium join:2007-07-26 Oshawa, ON kudos:7 Reviews: ·Rogers Hi-Speed	ZeroAccess From Rootkit to Nasty Infection One year ago we’ve blogged about ZeroAccess striking back at antivirus products by means of malicious payload injection causing the antivirus products to terminate. ZeroAccess is known for causing browser redirects causing additional malware infections. ZeroAccess (also known as Sirefef, Maxplus or Smiscer) changed its way of working a few times and recently it evolved from a rootkit into a user mode virus. This makes sense because it used to use different strategies on 32-bit and 64-bit computers. On 32-bit Windows ZeroAccess infected a random kernel driver and on 64-bit it used an altered Session Manager\SubSystems registry key to survive reboots. Merging both 32 and 64-bit versions the authors now have a common code base for both architectures which is easier to maintain and improve. Services.exe infection Since a few weeks we receive reports of slightly changed versions of services.exe. This Microsoft component is the Services Control Manager and is responsible for running, ending, and interacting with system services. Upon closer inspection, the minor changes to services.exe are not malicious at all. But they do uncover a new and novel way of hiding malicious payload making ZeroAccess invisible to most antivirus products. Full Story: »hitmanpro.wordpress.com/2012/06/···fection/ -- Triple Helix - Microsoft® MVP Consumer Security 2012 VIP Member Of ASAP - (Alliance of Security Analysis Professionals™) Official Webroot SecureAnywhere (Prevx) Support Forum Helper! (H59 Clan)
	to forum · permalink · 2012-06-25 21:40:18 ·
Jrb2 Premium join:2001-08-31 kudos:3	»[App Update] HitmanPro 3.6 Build 160 Released === The ESET Blog ZeroAccess: code injection chronicles has also an interesting analysis. (not so long ago some NOD32 users had problems with the ZeroAccess/Sirefef services.exe variant infection; hopefully that's now history)
	to forum · permalink · 2012-06-26 21:39:09 ·
redwolfe_98 Premium join:2001-06-11 kudos:1	reply to Triple Helix i see a lot of people, over in the avira forum, whose computers are getting infected with this malware.. i am glad to see that the avira program is at least flagging the malware.. i am wondering if hitmanpro's cleanup-routine restores a clean copy of "services.exe"..
	to forum · permalink · 2012-06-26 23:57:49 ·
Jrb2 Premium join:2001-08-31 kudos:3	said by redwolfe_98: i am wondering if hitmanpro's cleanup-routine restores a clean copy of "services.exe".. My guess would be "yes". I guess that that is one of the strong points of HitmanPro. But I don't have first-hand proof for it. You can have a look at the screenshots posted by Erik at Wilders: »www.wilderssecurity.com/showpost···unt=4451 In a similar case (of course not exactly the same), the infection caused by the Dutch news site NU.nl a few months ago, HitmanPro was said to be able to do a similar trick.
	to forum · permalink · 2012-06-27 13:58:59 ·

Broadband Tech > Security > Security > ZeroAccess From Rootkit to Nasty Infection