ZeroAccess botnet
Found this article today. I had to a presentation on rootkits and their associated botnets in one my graduate classes. I didnt touch on Zero Access, but it looks incredibly sophisticated/
The ZeroAccess Botnet Revealed
The ZeroAccess Botnet Revealed
Comments
-
YFZblu Member Posts: 1,462 ■■■■■■■■□□This is a good article, thanks for posting it. I do think it's missing some important stuff - Namely how ZeroAccess elevates privilges when infecting a machine with only 'User' level privileges. I intentionally compromised a Windows XP VM recently and pulled down ZeroAccess - When I'm done with my writeup of the traffic for work perhaps I'll post it here with some logs from Fiddler.
Anyway, along with Zeus, ZeroAccess is some of the coolest malware I consistently see right now. We've come to the point where if ZeroAccess isn't detected by A/V after compromise via an exploit pack, we just assume A/V missed it after we see a flood of UDP traffic spewing out to the internet from the infected host.
Also, did anyone else have that "Oh, crap.." moment after seeing the torrented Skyrim infection? I have moved on from my torrenting days, but that made me chuckle a little. -
MrAgent Member Posts: 1,310 ■■■■■■■■□□I'd like to see your write up... definitely post it. I also launched the ZeroAccess in a VM to see what what happen. It appeared to download a payload that appeared to be an adobe update. The funny thing is, that VM was fresh out of the box, so no adobe installed on it
Ive read that most of the rootkits and botnets go undedected because the people who are spreading them using techniques to make them fully undetectable (FUD). -
MSP-IT Member Posts: 752 ■■■□□□□□□□Probably a stupid question, but where does one "pull down" ZeroAccess?
-
chaser7783 Member Posts: 154We have been seeing a lot of ZeroAccess infections are a result of a host getting compromised by an exploit kit(blackhole exploit).
Here is another good write up on it. The ZeroAccess rootkit | Naked Security -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I'd like to see your write up... definitely post it. I also launched the ZeroAccess in a VM to see what what happen. It appeared to download a payload that appeared to be an adobe update. The funny thing is, that VM was fresh out of the box, so no adobe installed on it
Ive read that most of the rootkits and botnets go undedected because the people who are spreading them using techniques to make them fully undetectable (FUD).
My understanding is the Adobe download / update is what ZeroAccess uses to elevate privileges when infecting a User with only user-level access. ZeroAccess is a kernel-level rootkit, therefore needs elevated privileges to operate properly. After the User allows the Adobe download with UAC or what have you, ZeroAccess will inject itself into that address space and run with the proper privileges it requires.
Regarding your second point of FUD, recently I have seen IDS alerts for "ZeroAccess outbound communication" come in, which indicated successful compromise by the rootkit; however in many recent cases the A/V agent running on the compromised host never fires any alerts of its own. It's definitely a losing game of cat and mouse in the A/V world.
MSP-IT wrote:Probably a stupid question, but where does one "pull down" ZeroAccess?
I see it in compromises stemming from exploit packs - According to URLquery statistics, the recent hotness has been the RedKit exploit kit, but popularity in the kits changes quite a bit. Personally I have seen a lot of Glazunov and Blackhole 2.1.0 in the environment at work.
Here is a URLquery search with some regex aimed at detecting compromised websites which serve up the new Blackhole variant. Obviously visiting any of the sites in this list is dangerous, so proceed with proper precautions taken.
urlquery.net - Free url scanner
-
chaser7783 Member Posts: 154One thing to note, the way exploit kits infect host is not only through adobe reader (PDF), but also java, flash, and even IE. A host will visit a site called a "landing page", which will fingerprint the host. It uses a plugin to detect the OS, Browser/brwoser version, adobe flash version, adobe reader version, and java version. Which is a major issue because many companies use older applications that only support java version 1.6.x.
The landing page will then load payloads that are relevant to the host, and proceed to compromise the machine(the local host will download malicious .pdf, .jar, .swf, or .exe) The payloads are polymorphic and this is a main reason a host based AV will not detect the infection.
Like YFZblu said, these are detected by IDS triggers event on zeroaccess outbound communication. Using event correlation you will see this host making many outbound UDP traffic to external host. -
MrAgent Member Posts: 1,310 ■■■■■■■■□□Probably a stupid question, but where does one "pull down" ZeroAccess?
I have some site on my tablet that has a bunch of malware that you can download. I cant remember the name of it off hand.