As of late, a large influx of 64-bit, and now 32-bit variations of "ZeroAccess" have been appearing in the wild, which, of course, means they've been trickling into us and need to be classified one way or another for the sake of easily managing the detection and removal on infected systems.
To shed a bit of light on what we're classifying as "ZeroAccess", "ZA64", or similar infections, lets break down the average infection to it's core parts;
Multiple files appearing under 'C:\Windows\Assembly\tmp\U\' with 000000CF.@ style naming conventions (the last two characters, as well as the leading digit are often interchangeable with various variants of the infection.
This portion of the infection is actually belonging to the Win64.Sirefef family. More commonly, Sirefef.D or Sirefef.K.
On 32-bit systems, it is fairly common to see, in place of the Sirefef infection (which is 64-bit only) a Conedex.A infection, which is essentially implemented and functions in the same manner.
With this infection, it is also common to see 'Services32.exe' or 'Java.exe' located in the 'C:\Windows\' folder. This is the main dropper packaged with most of these infections. Generally speaking, it visually appears and is often mistaken as an Adobe Flash Updater/Installer. In actuality it is installing most of the registry keys, legacy device drivers and services that allow the remote controller of the Botnet to use a push-style delivery system on infected machines. This backdoor dropper belongs to the Bafruz family. Most commonly, we see Bafruz.B and Bafruz.D.
Packaged with these are generally one of two DLL files; kwrd.dll or consrv.dll.
Starting with kwrd.dll, identified as Win32/Bitcoin.B by some AV brands, we see the first of many non-adware packages associated with this infection. Primarily, this DLL stands to remotely transfer the wallet.dat and addr.dat files of Bitcoin installations to a remote host, thus stealing the Bitcoin* holdings of the infected user.
consrv.dll seems to function primarily as a DNS redirector, sometimes to adware and at other times to shopping sites or other revenue-generating mechanisms. Most often, infections that feature consrv.dll contain a Rogue.AV element ("You're infected with 9,435,234 infections! Send us money now to remove them!") and revenue is clearly generated from that aspect of the infection.
Due to the dynamic assembly nature of the application, all of the 000000CF.@-style files are compiled at boot-time into a 32 or 64-bit packed executable that then runs to keep the system infected. This allows for the infection to download updated code structures from the host machines or P2P-network attached to the infection, allowing the infection to remain entirely dynamic and auto-updating.
So, in closing, rarely, if ever, does the "ZeroAccess" infection actually contain any element of ZeroAccess. There are a few instances where a ZA package is included, however, outside of Windows XP systems with an infected TCP/IP stack, or Vista systems with infected netbt.sys, this isn't seen very much.
* Bitcoin is a digital crypto-currency developed as an open-source project and released at Bitcoin.org. At the time of writing this, a single Bitcoin (BTC) is worth roughly $4 USD on market exchanges.
No comments:
Post a Comment