Skip to comments.Technical paper: The ZeroAccess rootkit under the microscope
Posted on 09/03/2012 9:54:52 AM PDT by Ernest_at_the_Beach
ZeroAccess is a sophisticated kernel-mode rootkit that is quickly becoming one of the most widespread malware threats.
In a new technical paper from SophosLabs, malware researcher James Wyke explores the ZeroAccess threat, examines how it works and looks at what the malware's ultimate goal is.
ZeroAccess has a resilient peer-to-peer command and control infrastructure, runs on both 32-bit and 64-bit versions of Windows, and has been constantly updated with new functionality, allowing it to thrive on modern networks and operating systems.
From the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload, the technical paper offers a deep insight into how ZeroAccess works.
Because people have asked - Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it:
1. Infected files will be detected and blocked as Mal/ZAccess-x, Troj/ZAccess-x, Mal/Sirefef-x or Troj/Sirefef-x , where x denotes an alphabetic suffix (e.g. -A, -B). On a properly-protected system, this should prevent infection in the first place.
2. Active processes will be reported and blocked by the Sophos run-time HIPS (Host Intrusion Detection System) as HPmal/ZAccess-A. This gives an extra layer of safety by providing proactive detection and prevention even of samples which evade detection in (1) above.
3. The Zero Access rootkit itself will be detected in kernel memory, and can be cleaned up, as Troj/ZAKmem-A. This means that the malware can be remediated even on systems where the rootkit is already active and stealthing.
(Excerpt) Read more at nakedsecurity.sophos.com ...
Is this an advertisement for Sophos?
I think so... Who cares, I don’t use Windoze... :-)
wow, those bastiges are really getting sneaky...thanks.
Given that it’s hosted on sophos.com, I would imagine so.
Doesn’t mean you should ignore it, though.
if they can deliver it via Java, as well as from web servers, then just about any device could be targeted - Linux, Android, iOS, etc., with a proper payload.
Current Symantec assessment:
Wild Level: Low
Number of Infections: 50 - 999
Number of Sites: 0 - 2
Geographical Distribution: Low
Threat Containment: Easy
Based on that assessment it looks like some jackass installed it manually.
My laptop got ahold of a rootkit a couple of years ago. It took an entire day to figure out how to get rid of it.
Sophos may be advertising capabilities but for something like this I’ll take information about it from any just about anywhere.
It is linux based....searching for a link to download it.
FWIW, Sophos is one of the better AV solutions out there. For years, they had the only reliable AV solution for Novell Networks, where McAfee and Symantec would regularly crash Novell servers.
Sophos also has a FREE AV solution for Macs (personal use).
Thanks for the info.
Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it...Where I work, Sophos can't even download its own updates -- "updating failed" every single day. Here at home I don't have to worry about it (Macs).
You know, I’m beginning to suspect that there are two sides to most computer security software firms; one side writes the problem software and the other writes the debugging software. Or maybe there are cooperative quid pro quo agreements between competing firms.
It would be the perfect business model: create the problem, release it, then solve it...for a price.
Is your workplace based on Windows software...?