- Jan 24, 2011
- 9,378
What is ZeroAccess?
ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it replaces Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess also patches system files to load its malicious code. The original file name is then kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in a file on disk.
You can find more details here and here.
ZeroAccess rootkit at work :
ZeroAccess rootkit against the security vendors test
A blogger from my country has tested in a virtual machine the main Internet Security suites on the market against this rootkit.
Procedure :
He downloaded and installed in a clean virtual machine the latest version for each security suite.
He deactivated only the real-time antivirus engine ,simulating an unknown virus attack , to follow the products proactive protection and capabilities of protecting their own processes and services, then he run the ZeroAccess rootkit.
Results :
avast! Internet Security 6 – disabled
AVG Internet Security 2012 – unaffected
Avira Premium Security 2012 – unaffected
BitDefender Internet Security 2012 - unaffected
Comodo Internet Security 5.8 – unaffected
ESET Smart Security 5 – disabled
F-Secure Internet Security 2011 – unaffected
Kaspersky Internet Security 2012 – unaffected
McAfee Internet Security 2012 – unaffected
Norton Internet Security 2012 – disabled
You can read here the original blog post (with Google Translate).
ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it replaces Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.
ZeroAccess also patches system files to load its malicious code. The original file name is then kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in a file on disk.
You can find more details here and here.
ZeroAccess rootkit at work :
ZeroAccess rootkit against the security vendors test
A blogger from my country has tested in a virtual machine the main Internet Security suites on the market against this rootkit.
Procedure :
He downloaded and installed in a clean virtual machine the latest version for each security suite.
He deactivated only the real-time antivirus engine ,simulating an unknown virus attack , to follow the products proactive protection and capabilities of protecting their own processes and services, then he run the ZeroAccess rootkit.
Results :
avast! Internet Security 6 – disabled
AVG Internet Security 2012 – unaffected
Avira Premium Security 2012 – unaffected
BitDefender Internet Security 2012 - unaffected
Comodo Internet Security 5.8 – unaffected
ESET Smart Security 5 – disabled
F-Secure Internet Security 2011 – unaffected
Kaspersky Internet Security 2012 – unaffected
McAfee Internet Security 2012 – unaffected
Norton Internet Security 2012 – disabled
You can read here the original blog post (with Google Translate).
Last edited: