January 22, 2017

Reverse Engineering of ZeroAccess Rootkit

The step-by-step instructions for reverse engineering of ZeroAccess Rootkit has publihsed by Giuseppe Bonafa from InfoSec Institute, an information security service company. This article consists of four parts and step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit.

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze. This modern malware is also known as the Smiscer or Max++ rootkit.

[ad code=6 align=left]

The purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. With reference to InfoSec Institute website, this malware is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the “antivirus”. It could be used to deliver any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Further, Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN cybercrime syndicate.

ZeroAccess has the following capabilities:

  • Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS
  • Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
  • Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code
  • Advanced Antivirus bypassing mechanisms.
  • Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools
  • Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs
  • Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image

InfoSec Institute tutorial is split into a series of articles as follow:

Part 1: Introduction and De-Obfuscating and Reversing the User-Mode Agent Dropper

Part 2: Reverse Engineering the Kernel-Mode Device Driver Stealth Rootkit

Part 3: Reverse Engineering the Kernel-Mode Device Driver Process Injection Rootkit

Part 4: Tracing the Crimeware Origins of ZeroAccess Rootkit by Reversing the Injected Code