ZeroAccess Rootkit Guards Itself with a Tripwire

[Jack]

The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire.

Read more

You can find here a more detailed analysis of this rootkit [PDF]

ZeroAccess Rootkit at work :
Uploaded by eraserPX on Jul 9, 2011 (No sound)

 

[Deleted member 178]

Very interesting. an example of the UAC usefulness.

offtopic: as if Avira has not enough problems

 

[jamescv7]

Interesting, AV must have a strong self protection in case it was failed to work.

 

[Jack]

Very interesting. an example of the UAC usefulness.

offtopic: as if Avira has not enough problems

In order to be useful UAC must be set at the highest settings as this rootkit attempts to evade UAC by executing a new, code-injected instance of explorer.exe.

Windows 7′s UAC implementation contains a white list of system processes which can elevate their own privileges without user interaction in some specific situations, depending on how the UAC feature is configured. Explorer.exe is present in this white list so that, if the UAC feature is configured to not notify the user on every action requiring user’s interaction (configuration used by Microsoft as a factory setting), the process can automatically elevate itself and get administrator privileges. The rootkit module injected in explorer.exe shows the internal development project string (“p:\vc5\release\_uac.pdb“) because the module itself has no name; it’s just a bunch of code injected inside the explorer.exe

This is a very nasty rootkit. Hitman Pro can now also remove this rootkit so that's a good news.