Targeting ZeroAccess Rootkit’s Achilles’ Heel
Proliferation
ZeroAccess is one of the many talked and blogged [1], [2] about rootkits in new times. It is also one of the many formidable and rarely prevalent rootkits we have encountered and that is still stability to evolve. The ZeroAccess rootkit is distributed around both amicable engineering as good as exploitation. A new blog post by a colleagues during McAfee, describes some of the odd methods this rootkit adopts to get commissioned on machines but removing noticed.
One of a goals of this rootkit is to emanate a absolute peer-to-peer botnet, that is able of downloading additional malware on a putrescent system. This botnet is reportedely [3] concerned in clickfraud, downloading brute antivirus applications, and generating spam.
This Google map of a United States shows McAfee VirusScan consumer nodes stating singular ZeroAccess showing over a past week.
Our consumer information for a past month shows tighten to 4,000 singular systems detecting ZeroAccess daily. And a trend is stability upward.
Installation
In my new investigate of this rootkit , we was looking to know a initial designation mechanism. The designation of ZeroAccess involves overwriting a legitimate motorist on hoop with a antagonistic rootkit driver. Usually Step 1 varies in opposite variants i.e. some variants would directly overwrite a legitimate motorist and some others would initial inject a antagonistic formula in devoted processes like explorer.exe and then, from a injected code, overwrite a motorist (this is finished to bypass several confidence products and to make investigate some-more challenging). During Step 1, a strange motorist formula is kept in memory. The driver, that is overwritten in Step 2, is incidentally comparison (details here [1]), in a contention next we assume CDROM.sys is being overwritten. Step 2 to Step 8 are sincerely immobile in variants of ZeroAccess. Once a motorist is overwritten by antagonistic formula it is installed in heart space. The initial charge of a heart mode formula is to safeguard that it sets adult a malware to tarry reboots and to forge a perspective of overwritten motorist (CDROM.sys).
Lets pierce on to see how this intrigue works in Step 5 – Step 8. In Step 5,  ZeroAccess intercepts hoop i/o by hooking DeviceExtension-LowerDeviceObject margin in a driverdisk DEVICE_OBJECT. So now any hoop i/o would go by rootkit’s antagonistic routine. In Step 6, a heart mode formula has a entrance to purify picture of CDROM.sys motorist stored in memory and to tarry reboots it flushes a record regulating ZwFlushVirtualMemory API to disk. The ask to flush a purify picture is interestingly sent to a record CDROM.sys, that during initial peek looks opposite intuitive. Why would a rootkit wish to a write purify picture to a record it only putrescent in Step 2?  Looking some-more closely, a rootkit indeed uses a hoop i/o redirection framework. So, when this ask to store a purify picture of record on hoop traverses by a practical motorist smoke-stack shown in Step 7, it is encrypted and redirected ( Step 8 ) to a rootkits “protected” folder that it combined in Step 3, instead of going to a tangible CDROM.sys.
Once a strange encrypted picture of CDROM.sys is stored in a stable folder, a infection becomes determined and can simply tarry reboots. Any try to review a putrescent CDROM.sys would have to span a hijacked i/o trail , where, a rootkit decrypts a strange record from a stable storage on a fly and presents a purify image, so forging a perspective of a record to confidence tools.  Also during reboot a putrescent record would initial bucket a antagonistic formula in heart that can impute to a “protected” folder and bucket a strange record in heart so ensuring uninterrupted functionality of a strange device.
In sequence to purify this threat, confidence collection have to take several stairs in correct possibly memory or decrypting a files a stable folder so that they can revive a strange file. Also once a rootkit is active in heart mode it takes lot of shy stairs to kill or by-pass a confidence collection as described by a colleages in this Virus Bulletin article. So correct becomes even some-more severe and investigate costly.
Impact of genuine time heart monitoring
I tested many variants travelling over an year of this rootkit family opposite McAfee’s Deep Defender technology that provides genuine time protections opposite unapproved heart memory modifications. The following screenshot shows Deep Defender restraint a DeviceExtension steal try in Step 5, that was vicious to rootkits survival. Once this offshoot is blocked a appurtenance was spotless after a reboot, but any imagination repairs and it indeed shaved off days of retreat engineering and essay tradition correct opposite this rootkit and a mixed variants. It seemes as if Deep Defender strike right in a Achilles heel of a rootkit.
Is that it? How did Deep Defender purify a machine?
No we did not skip partial of a article, a engaging partial is that Deep Defender did not have to do any tradition repairs to purify this threat. It only blocked realtime a core functionality of rootkit. Lets revisit a conflict plan to know what happened.
When a rootkit attempted to steal a DeviceExtension pointer in Step 5, Deep Defender’s genuine time heart memory insurance saw a attempted change and famous it is a antagonistic try to cgange a vicious structure and blocked a steal attempt. With a offshoot gone, a rootkit could not steal a hoop i/o path, that means it can't store any files in a “protected” folder anymore and could not tarry any reboots but removing noticed. It positively can't forge a perspective of a record anymore as well. But a many engaging partial is that a attempted steal retard by Deep Defender indeed redirected a rootkit’s write try in Step 7 to go to a strange location. So Step 8 would indeed overwrite a strange record that it only putrescent from user mode, so forcing a rootkit to cleanup for us. After a reboot a complement will be behind in a purify state.
This plan from Deep Defender works opposite all a stream  ZeroAccess variants. It would be severe for a rootkit authors to entirely bypass this invulnerability but possibly withdrawal a complement in a depraved state and but being beheld by a confidence collection that would locate them red handed if they can't forge a perspective of a record anymore.
Tags: Deep Defender, DeepSAFE, Rootkits