Rootkits are programs that can potentially be used by any malware to hide, or stealth, files, processes, registry keys, and network connections. ZeroAccess.a is one of such detections for this class of malicious programs. Unlike viruses, ZeroAccess does not self-replicate. It is spread manually, often under the premise that it is beneficial or wanted. The most common installation methods involve system or security exploitation, and unsuspecting users manually executing unknown programs. Distribution channels include email, malicious or hacked web pages, Internet Relay Chat (IRC), peer-to-peer networks,etc.
ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it overwrite Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess patches system files to load its malicious code. The original file content is overwritten, but the original system file is kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in an unsuspecting file on disk.
ZeroAccess is usually installed on a system by a malicious executable. Once this dropper is executed, it will install the rootkit which will perform the actions described below:
NOTE: A detailed description of this malware can be found on our Threat Advisory page here.
The following files are changed or created by the malware:
The following registry keys are changed or created:
In newer variants, besides killing the process, the rootkit component will also remove all NTFS permissions from the offending files (by modifying its DACL) and install an Image File Execution Option to disable execution of the file. This action is an attempt to disable security related tools and components.
ZeroAccess will report its installation and user activity to a remote server. Since the rootkit hides network connections from any tool running on the infected machine, system administrators may need to use external monitoring tools to check the network activity.
After infection, the malware will report installation and system activity using HTTP requests. These requests are usually made to destination port 80 but some variants also use port 8083 to communicate.
The requests have the following characteristics:
GET /stat2.php?w=46&i=d5d6a3459af7a34558e98254eb873a62&a=11 HTTP/1.1
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)
GET /bad.php?w=109&fail=0&i=d5d6a3459af7a3457ce3916737df5160 HTTP/1.1
User-Agent: Opera/6 (Windows NT 5.1; U; LangID=416; x86)
The following user-agent may also be used:
GET /%s HTTP/1.0
User-Agent: NSIS_Inetc (Mozilla)
During our test replication, the following IP addresses were contacted by the malware:
The rootkit component of ZeroAccess utilizes an advanced method for protecting itself and disabling any security tool trying to detect and remove it.
When a security tool tries to access the monitored file on disk or the service process in memory, the rootkit identifies the access attempt, triggering its protection system.
The protection consists of killing the process from kernel mode, making it effective against any type of security tool.
The rootkit also hooks some system APIs, an example of such hooks are shown below as depicted in the log by the publicly available GMER tool:
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!IoReuseIrp + 8B 804EE879 7 Bytes CALL F60880F5
.text atapi.sys F850384D 7 Bytes CALL F60838F0
.text mrxsmb.sys F6D93000 107 Bytes [06, 0F, 83, 2D, B5, 00, 00, ...]
.text mrxsmb.sys F6D9306C 101 Bytes [EC, 8B, 45, 08, 8B, 40, 40, ...]
.text mrxsmb.sys F6D930D2 52 Bytes CALL 386296E7
.text mrxsmb.sys F6D93107 31 Bytes [90, 90, 90, 90, 90, FF, 25, ...]
.text mrxsmb.sys F6D93127 42 Bytes [F6, 42, 08, 80, 0F, 84, C5, ...]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalGetAdapter] 840FFC4D
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!IoWritePartitionTable] 00008258
IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[HAL.dll!HalDisplayString] 0F01FE83
ZeroAccess is usually installed by a dropper component that may come to the machine from different sources. One usual method that machines get infected is by downloading and executing small executable files used to crack applications. These crack tools can be found in many different websites devoted to distributing cracked applications. These sites also are known to distribute malicious files and exploits, and thus accessing unknown websites should be avoided to lower the chance of getting infected.
Some recent variants have been observed to come together with Fake Antivirus software or W32/Katusha file infector virus. ZeroAccess is downloaded by these components at each system reboot, which make it very difficult to get rid of it.
For most previous variants of this malware, McAfee provides protection via signatures. Please ensure to have the most up to date DATs and Engine. For the most recent variant where McAfee (or your security product) may be disabled, please follow the following manual cleaning instructions. A standalone tool may be provided in the near future to help remediate this Threat.
NTFS Folder Permission Alteration
Besides killing any security tool trying to access its files or processes, newer variants of ZeroAccess implemented a new protection method to disable security tools.
Once the process is killed, the rootkit will remove all NTFS permissions disallowing the execution of the file afterwards. This method of disabling security tools has been seen before in malware families like W32/Pinkslipbot and W32/Simfect.
The file permissions may be restored by running the following actions.
Manual Remediation steps:
The malicious code is loaded by the patched system driver. In order to clean the system manually, its necessary to identify the malicious .SYS file and replace it with a good copy from installation media.
In order to identify which system driver was replaced, the user is going to need the following tool:
Standalone Removal Tool Instructions:
Alternatively, McAfee is making available a standalone tool to detect and remove ZeroAccess rootkit from customers infected machines. The tool is available for download here
NOTE: McAfee has prepared this standalone tool to assist with the remediation of this threat. McAfee Quality Assurance team has minimally tested 0.60 version of this tool and McAfee makes no warranty that these files will be free from errors.
Extract the tool to a temporary folder. Run it by simply executing it from the command line. The following image shows what is expected in case the tool successfully detect and remove the malware:
ZeroAccess has been known to be accompanied by other malware. Therefore, as an option, customer may use the latest Beta DATs available here for the most up to date signatures. These may be used along with our command line scanner, csscan.exe as shown on the instructions above (Step 12 of Manual Cleaning instructions).