ZeroAccess botnet

Found this article today. I had to a presentation on rootkits and their associated botnets in one my graduate classes. I didnt touch on Zero Access, but it looks incredibly sophisticated/

The ZeroAccess Botnet Revealed

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

YFZblu

This is a good article, thanks for posting it. I do think it's missing some important stuff - Namely how ZeroAccess elevates privilges when infecting a machine with only 'User' level privileges. I intentionally compromised a Windows XP VM recently and pulled down ZeroAccess - When I'm done with my writeup of the traffic for work perhaps I'll post it here with some logs from Fiddler.

Anyway, along with Zeus, ZeroAccess is some of the coolest malware I consistently see right now. We've come to the point where if ZeroAccess isn't detected by A/V after compromise via an exploit pack, we just assume A/V missed it after we see a flood of UDP traffic spewing out to the internet from the infected host.

Also, did anyone else have that "Oh, crap.." moment after seeing the torrented Skyrim infection? I have moved on from my torrenting days, but that made me chuckle a little.

MrAgent

I'd like to see your write up... definitely post it. I also launched the ZeroAccess in a VM to see what what happen. It appeared to download a payload that appeared to be an adobe update. The funny thing is, that VM was fresh out of the box, so no adobe installed on it

Ive read that most of the rootkits and botnets go undedected because the people who are spreading them using techniques to make them fully undetectable (FUD).

MSP-IT

Probably a stupid question, but where does one "pull down" ZeroAccess?

chaser7783

We have been seeing a lot of ZeroAccess infections are a result of a host getting compromised by an exploit kit(blackhole exploit).
Here is another good write up on it. The ZeroAccess rootkit | Naked Security

YFZblu

MrAgent wrote: »

I'd like to see your write up... definitely post it. I also launched the ZeroAccess in a VM to see what what happen. It appeared to download a payload that appeared to be an adobe update. The funny thing is, that VM was fresh out of the box, so no adobe installed on it

Ive read that most of the rootkits and botnets go undedected because the people who are spreading them using techniques to make them fully undetectable (FUD).

My understanding is the Adobe download / update is what ZeroAccess uses to elevate privileges when infecting a User with only user-level access. ZeroAccess is a kernel-level rootkit, therefore needs elevated privileges to operate properly. After the User allows the Adobe download with UAC or what have you, ZeroAccess will inject itself into that address space and run with the proper privileges it requires.

Regarding your second point of FUD, recently I have seen IDS alerts for "ZeroAccess outbound communication" come in, which indicated successful compromise by the rootkit; however in many recent cases the A/V agent running on the compromised host never fires any alerts of its own. It's definitely a losing game of cat and mouse in the A/V world.

MSP-IT wrote:

Probably a stupid question, but where does one "pull down" ZeroAccess?

I see it in compromises stemming from exploit packs - According to URLquery statistics, the recent hotness has been the RedKit exploit kit, but popularity in the kits changes quite a bit. Personally I have seen a lot of Glazunov and Blackhole 2.1.0 in the environment at work.

Here is a URLquery search with some regex aimed at detecting compromised websites which serve up the new Blackhole variant. Obviously visiting any of the sites in this list is dangerous, so proceed with proper precautions taken.

urlquery.net - Free url scanner

chaser7783

One thing to note, the way exploit kits infect host is not only through adobe reader (PDF), but also java, flash, and even IE. A host will visit a site called a "landing page", which will fingerprint the host. It uses a plugin to detect the OS, Browser/brwoser version, adobe flash version, adobe reader version, and java version. Which is a major issue because many companies use older applications that only support java version 1.6.x.

The landing page will then load payloads that are relevant to the host, and proceed to compromise the machine(the local host will download malicious .pdf, .jar, .swf, or .exe) The payloads are polymorphic and this is a main reason a host based AV will not detect the infection.

Like YFZblu said, these are detected by IDS triggers event on zeroaccess outbound communication. Using event correlation you will see this host making many outbound UDP traffic to external host.

MrAgent

MSP-IT wrote: »

Probably a stupid question, but where does one "pull down" ZeroAccess?

I have some site on my tablet that has a bunch of malware that you can download. I cant remember the name of it off hand.