June 15, 2021

Reverse Engineering of ZeroAccess Rootkit

The step-by-step instructions for reverse engineering of ZeroAccess Rootkit has publihsed by Giuseppe Bonafa from InfoSec Institute, an information security service company. This article consists of four parts and step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit.

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze. This modern malware is also known as the Smiscer or Max++ rootkit.

[ad code=6 align=left]

The purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. With reference to InfoSec Institute website, this malware is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the “antivirus”. It could be used to deliver any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Further, Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN cybercrime syndicate.

ZeroAccess has the following capabilities:

  • Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS
  • Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
  • Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code
  • Advanced Antivirus bypassing mechanisms.
  • Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools
  • Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs
  • Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image

InfoSec Institute tutorial is split into a series of articles as follow:

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper

Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit

Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit

Part 4: Tracing the Crimeware Origins of ZeroAccess Rootkit by Reversing the Injected Code


New Rootkit Designed to Attack 64-bit Versions of Windows is in the Wild

Until now there hasn’t been a rootkit which explicitly attacks machines running a 64-bit version of Microsoft Windows. But now the TDL3 rootkit has been updated to infect Windows Vista 64 bit and Windows 7 64 bit.

Rootkits are pieces of malware which infect computers and allow hackers to hide an intrusion and yet  maintain privileged access to a computer by circumventing normal authentication and authorization mechanisms.

[ad code=6 align=left]

This is a worrying development as 64-bit versions of Windows were considered much more secure than the 32-bit versions because of the various security features which make it more difficult for malware to get into kernel mode.

The 64-bit versions of Windows use two techniques to keep rootkits out of the kernel. First, drivers aren’t allowed access to kernel memory if they aren’t signed with a digital signature (something which malware applications shouldn’t be). Second, Windows 64 bit uses PatchGuard which blocks every kernel mode driver from altering sensitive areas of the kernel.

The new TDL3 rootkit bypasses both PatchGuard and Driver Signature verification by changing the hard drive’s master boot record and intercepts the Windows startup process allowing it to load its own driver. Once the MBR is infected, the rootkit forces a system reboot which bypasses the need for administration level privileges.

How this will develop is yet to be seen, but we are officially now in the era of 64-bit rootkits. You have been warned!

Stuxnet: The Industrial Sabotage Mystery Deepens

Since its discovery a few months ago, the purpose and intention of the Stuxnet worm has remained shrouded in mystery. This Windows based worm is the first ever malware designed to attack industrial equipment.

Specifically it targets Siemens’ Supervisory Control And Data Acquisition (SCADA) software used to control and monitor industrial processes and has the ability to reprogram Siemens’ Simatic PLCs (programmable logic controllers).

[ad code=6 align=left]

PLCs contain code to control automated industrial systems in manufacturing plants or factories. Programmers use the Siemens’ software from a Windows PC to create code and then upload their code to the PLCs. The Stuxnet worm infects the PCs and then uploads its own code to the PLC.

Since the discovery of Stuxnet, conspiracy theories about its purposes have been rampant and these theories have included nation states, well funded hackers, Israeli spies and Iran’s nuclear program. But Symantec have just revealed (http://www.symantec.com/connect/blogs/stuxnet-breakthrough) that the Stuxnet virus only attacks systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran. This is sure to reignite the speculations about its target and origin.

What Stuxnet does is monitor the frequency of these drives and only attacks systems that run between 807Hz and 1210Hz which is very high and only used in particular industrial applications. Stuxnet then modifies the output frequency for a short time to 1410Hz and then to 2Hz and then to 1064Hz and thus effects the operation of the connected motors.

Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities.

If you work with PLCs and variable-frequency drives over 807Hz please contact Live Hacking as soon as possible as you might be able to shed some light on this increasingly mysterious malware.

Rootkit Analysis: TDSS Rootkit

Securelist.com has a great rootkit analysis article about TDSS rootkit. It has been written by Sergey Golovanov and Vyacheslav Rusakov.

The TDSS rootkit first appeared in 2008. Since then, it has become far more widespread than the notorious rootkit Rustock. The rootkit’s malicious payload and the difficulties it presents for analysis are effectively similar to those of the bootkit. The bootkit infect (as its name suggests) infects the boot sector, ensuring that the malicious code is loaded prior to the operating system. TDSS implements the concept of infecting drivers; this means it is loaded and run at the very early stages of the operating system. This greatly complicates the detection of TDSS and makes removing it treatment a serious challenge.

Read the full article here: http://www.securelist.com/en/analysis/204792131/TDSS


BinNavi 3.0 released

Win32 Kernel Debugging utility, BinNavi version 3.0 has been released. BinNavi is a graph-based reverse engineering tool for malware analysis.  With reference to blog.zynamics.com the previous versions of BinNavi have already helped reverse engineers in the IT security industry, in governmental agencies, and academia around the world do their jobs faster and better.

New Features:

  1. Analyze code of MIPS-based devices
  2. Rename local and global variables to understand code
  3. Find out where global variables are used
  4. Quickly get back to your favorite projects, modules, and views
  5. Use a faster disassembly data exporter to get started
  6. Set conditional breakpoints to make debugging more efficient
  7. Edit the target process memory to test small patches
  8. Isolate code quickly using the improved trace mode
  9. Quickly see where variables are used
  10. Quickly recognize special instructions

More information is available at http://zynamics.com/binnavi.htm.

REMnux: A Linux Distribution for Reverse-Engineering Malware

REMnux is a new Linux distribution based on Ubuntu for assisting malware analysts in reverse-engineering malicious software. REMnux is designed for running services that are useful to emulate within an isolated environment to performing behavioural malware analysis. As part of this process, the analyst typically infects another laboratory system with the malware sample and directs potentially-malicious connections to the REMnux system that’s listening on the appropriate ports.

REMnux is also useful for analyzing web-based malware, such as malicious JavaScript, Java programs, and Flash files. It also has tools for analyzing malicious documents, such as Microsoft Office and Adobe PDF files, and utilities for reversing malware through memory forensics. In these cases, malware may be loaded onto REMnux and analyzed directly on the REMnux system without requiring other systems to be present in the lab.

It is important to highlight, that REMunx is not a Windows analysis tools on a Linux platform. Zero Wine project may help those who are looking for a Windows analysis tool.

You can download the REMnux distribution as a VMware virtual appliance archive and also as an ISO image of a Live CD

REMnux has been developed by Lenny Zeltser