ZeroAccess rootkit against the security vendors

[Jack]

What is ZeroAccess?

ZeroAccess is a family of Rootkits, capable of infecting the Windows Operating System. On infection, it replaces Windows System Files and installs Kernel Hooks in an attempt to remain stealthy. Once the hooks are installed, the target operating system falls under control of the rootkit, which is then able to hide processes, files, networks connections, as well as to kill any security tools trying to access its files or processes. This rootkit is known to infect both 32 and 64 bit Windows operating systems.

ZeroAccess also patches system files to load its malicious code. The original file name is then kept inside an encrypted virtual file system the rootkit creates. The virtual file system is stored in a file on disk.

You can find more details here and here.

ZeroAccess rootkit at work :

---

ZeroAccess rootkit against the security vendors test

A blogger from my country has tested in a virtual machine the main Internet Security suites on the market against this rootkit.

Procedure :

He downloaded and installed in a clean virtual machine the latest version for each security suite.
He deactivated only the real-time antivirus engine ,simulating an unknown virus attack , to follow the products proactive protection and capabilities of protecting their own processes and services, then he run the ZeroAccess rootkit.

Results :

avast! Internet Security 6 – disabled
AVG Internet Security 2012 – unaffected
Avira Premium Security 2012 – unaffected
BitDefender Internet Security 2012 - unaffected
Comodo Internet Security 5.8 – unaffected
ESET Smart Security 5 – disabled
F-Secure Internet Security 2011 – unaffected
Kaspersky Internet Security 2012 – unaffected
McAfee Internet Security 2012 – unaffected
Norton Internet Security 2012 – disabled

You can read here the original blog post (with Google Translate).

 

[Jack]

Found this series of videos on YouTube, a Polish guy (testzabezpieczenpc) has tested some security suites against the ZeroAccess rootkit. Unlike the blogger from my country , he didn't disabled the antivirus engine....Anyway Enjoy!

Videos were uploaded by testzabezpieczenpc from 23 to 25 Sep 2011

avast! Internet Security 6.0 vs Rootkit ZeroAccess


F-Secure Internet Security 2011 vs Rootkit ZeroAccess


ESET Smart Security 5 vs Rootkit ZeroAccess


TrustPort Antivirus 2012 Vs ZeroAccess Rootkit


McAfee Total Protection 2011 vs Rootkit ZeroAccess


Outpost Security Suite Pro Vs ZeroAccess Rootkit


Norton Internet Security 2012 vs Rootkit ZeroAccess


Norton Internet Security 2012 vs Rootkit ZeroAccess - Round 2

 

[win7holic]

really shocked with result.
ESET, avast and Norton can not detect or block, on the contrary Their disabled by a rootkit.
Their self-protection need improvement.
in my test ,McAfee fail to block ransom and make dead my VM

 

[varunit]

Thanks for the info Jack..

surprised to see that none of the legends ESET, Norton, avast blocked the attack..

However it's nice to see Kaspersky detected and blocked all the rootkits..

 

[Littlebits]

I'm just wondering, even though they have been reports of ZeroAccess in the wild, do you know anyone that has been infected?

I don't think it is widely distributed yet and it would very rare to get infected with it at this time, maybe that is why many vendors don't detect it yet.

It appears that the samples are only used for testing purposes.

None of my novice customers have got infected with ZeroAccess.

Does anyone have a link to infection statics for ZeroAccess?

Thanks.

 

[Hungry Man]

Thank you.

 

[Jack]

Does anyone have a link to infection statics for ZeroAccess?

According to Symantec the general risk level is very low.

ZeroAccess is usually installed on a system by a malicious executable disguised as a cracking tool for popular applications so that might be a reason for the general risk level.

Here are the Infection and Propagation Vectors according to McAfee :

ZeroAccess is usually installed by a dropper component that may come to the machine from different sources.
One usual method that machines get infected is by downloading and executing small executable files used to
crack applications. These crack tools can be found in many different websites devoted to distributing cracked
applications. These sites also are known to distribute malicious files and exploits, and thus accessing unknown
websites should be avoided to lower the chance of getting infected.
Some names used by these dropper may include the following:
• Redtube.grabber.keygen.exe
• madden_crack.exe
• 1309803008.Microsoft.Office.Professional.crack.exe

(via McAfee)

 

[Tom172]

Jack, Symantec last updated that threat writeup page on July 25, so the stats most likely changed since then.

I'm surprised Symantec missed this, it has a definition and 2 separate IPS detections for it. New variants must be coming out quick.

Detection updates:

Initial Rapid Release version July 13, 2011 revision 016
Latest Rapid Release version September 24, 2011 revision 022
Initial Daily Certified version July 13, 2011 revision 024
Latest Daily Certified version September 25, 2011 revision 005
Initial Weekly Certified release date July 13, 2011

ZeroAccess Activity 1

ZeroAccess Activity 2

 

[Littlebits]

Jack, Symantec last updated that threat writeup page on July 25, so the stats most likely changed since then.

I'm surprised Symantec missed this, it has a definition and 2 separate IPS detections for it. New variants must be coming out quick.

Detection updates:

Initial Rapid Release version July 13, 2011 revision 016
Latest Rapid Release version September 24, 2011 revision 022
Initial Daily Certified version July 13, 2011 revision 024
Latest Daily Certified version September 25, 2011 revision 005
Initial Weekly Certified release date July 13, 2011

ZeroAccess Activity 1

ZeroAccess Activity 2

The link Jack posted applies to home users, the other two links applies only to businesses, enterprise, corps, etc.

So in other words, home users have a very low threat. ZeroAccess is not intended for home users. Since I'm a home user, I could care less if my AV detected it or not. If I was running a business then I might be a little concerned.

I think it is more important for vendors to focus on high level and wide spread threats. Norton products are only for home users. Products for business are labeled under the Symantec name. Since ZeroAccess is a malware for business systems, then when was it tested against Norton?

For example, you can watch all of these videos on Youtude about how security products fail, but they don't explain, is they are not matching samples with the right type of AV that can detect them. If the malware target business systems, then use a business product to test them, don't use a product that suppose to protect home users.

Thanks.

 

[Tom172]

Those other 2 signatures I posted apply to home users (NIS) also, as indicated by this screenshot:

I do agree on what you say though, it's not primarily targeted at home users, but Symantec feels it's not to be ignored also.


added correct image