Reverse Engineering the source of the ZeroAccess crimeware rootkit




Posts: 18

Joined: Tue Nov 02, 2010 4:12 pm

Post Mon Nov 15, 2010 1:07 pm

Reverse Engineering the source of the ZeroAccess crimeware rootkit

Hi EH Netters! We recently undertook a project to update the hands-on labs in our Reverse Engineering Malware course, and one of our InfoSec Resources Authors defeated all of the anti-debugging and anti-forensics features of ZeroAccess and traced the source of this crimeware rootkit:


InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.

At the conclusion of the analysis, we will trace the criminal origins of the ZeroAccess rootkit. We will discover that the purpose of this rootkit is to set up a stealthy, undetectable and un-removable platform to deliver malicious software to victim computers. We will also see that ZeroAccess is being currently used to deliver FakeAntivirus crimeware applications that trick users into paying $70 to remove the “antivirus”. It could be used to deliver any malicious application, such as one that steals bank and credit card information in the future. Further analysis and network forensics supports that ZeroAccess is being hosted and originates from the Ecatel Network, which is controlled by the cybercrime syndicate RBN (Russian Business Network).

Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN cybercrime syndicate.

It has the following capabilities:

1. Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS
2. Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
3. Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code
4. Advanced Antivirus bypassing mechanisms.
5. Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools
6. Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs
7. Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image


User avatar

Hero Member
Hero Member

Posts: 1270

Joined: Mon Apr 28, 2008 9:20 am

Post Mon Nov 15, 2010 3:05 pm

Re: Reverse Engineering the source of the ZeroAccess crimeware rootkit

Great work as usual from Evilcry. :)


User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Sun Jul 10, 2011 5:49 am

Re: Reverse Engineering the source of the ZeroAccess crimeware rootkit

Another analysis of the ZeroAcess rootkit by PrevX, looks interesting:

Related article:

Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n


User avatar


Posts: 41

Joined: Wed Aug 11, 2010 6:15 am

Post Mon Jul 25, 2011 12:42 am

Re: Reverse Engineering the source of the ZeroAccess crimeware rootkit

Very inofrmative... thank you for sharing.

Can someone point to some good sources to understand analysis of malwares... i have been looking at some sites and I will share them

Tracur Malware Analysis
Sophos Security - Good source
http://www.sophos.com/en-us/threat-cent ... scare.aspx
2008 Malware Challenge Analysis
http://blog.mylookout.com/wp-content/up ... ge2008.pdf
Microsoft Blog - Good Source

Please let me know of other sources or books which I can follow to understand more on this topic

Return to Malware

Who is online

Users browsing this forum: No registered users and 1 guest

Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software