ZeroAccess / Max++ rootkit analysis

[SysAdMini]

Step-by-Step Reverse Engineering Malware: ZeroAccess / Max++ / Smiscer Crimeware
http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/

[SysAdMini]

Whitepaper by PrevX
http://www.prevxresearch.com/zeroaccess_analysis.pdf

[rkhunter]

Some research from Webroot/Prevx, including self-protection mechanism:

The latest generation of a rapidly evolving family of kernel-mode rootkits called, variously, ZeroAccess or Max++, seems to get more powerful and effective with each new variant. The rootkit infects a random system driver, overwriting its code with its own, infected driver, and hijacks the storage driver chain in order to hide its presence on the disk. But its own self-protection mechanism is its most interesting characteristic: It lays a virtual tripwire.

I’ve written about this rootkit in a few recent blog posts and in a white paper. On an infected computer, this new driver sets up a device called \Device\svchost.exe, and stores a fake PE file called svchost.exe – get it? The path is \Device\svchost.exe\svchost.exe. The driver then attaches itself to the disk device stack. The driver creates a new system process, called svchost.exe, pointing to the path: \\Globalroot\Device\svchost.exe\svchost.exe. This fake process serves as a kind of trap, specifically looking for the types of file operations performed by security software.

When a typical security scanner tries to analyze the rootkit-created svchost.exe file, the rootkit queues an initialized APC into the scanner’s own process, then calls the ExitProcess() function — essentially forcing the scanner to kill itself.

http://blog.webroot.com/2011/07/08/zeroaccess-rootkit-guards-itself-with-a-tripwire/
Next one updating:

Last week ZeroAccess received another update, and again it’s a major one. The rootkit shifted from a hidden encrypted file used as an NTFS filesystem volume to a more comfortable hidden directory created inside the Windows folder, where the rootkit still stores its configuration data and other malware in an encrypted form.

The folder where the rootkit will store its files is located at the path: C:\WINDOWS\$NtUninstallKBxxxxx$, where the Xs represent a unique number generated from characteristics of the infected system.

http://blog.webroot.com/2011/07/19/zeroaccess-gets-another-update/

UPD: info from articles

[SysAdMini]

ZeroAccess’s trick - A wolf in sheep’s clothing
http://blogs.avg.com/news-threats/zeroaccesss-trick-wolf-sheeps-clothing/

[SysAdMini]

ZeroAccess Rootkit Launched by Signed Installers
http://blogs.mcafee.com/mcafee-labs/zeroaccess-rootkit-launched-by-signed-installers

[SysAdMini]

Trojan.ZeroAccess Infection Analysis
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

[SysAdMini]

ZeroAccess analysis by Sophos
http://sophosnews.files.wordpress.com/2012/04/zeroaccess.pdf

[SysAdMini]

ZeroAccess – From Rootkit to Nasty Infection
http://hitmanpro.wordpress.com/2012/06/25/zeroaccess-from-rootkit-to-nasty-infection/

[SysAdMini]

ZeroAccess: code injection chronicles
http://blog.eset.com/2012/06/25/zeroaccess-code-injection-chronicles

[SysAdMini]

ZeroAccess Misleads Memory-File Link
http://blogs.mcafee.com/mcafee-labs/zeroaccess-misleads-memory-file-link

[SysAdMini]

Trojan.Zeroaccess.C Hidden in NTFS Extended Attributes
http://www.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea

ZeroAccess - new steps in evolution
http://artemonsecurity.blogspot.de/2012/06/zeroaccess-new-steps-in-evolution.html

[SysAdMini]

ZACCESS/SIREFEF Arrives with New Infection Technique
http://blog.trendmicro.com/?p=44273

[SysAdMini]

Sophos Technical Paper: ZeroAccess Botnet — Mining and Fraud for Massive Financial Gain
www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true

[SysAdMini]

Cracking the Encrypted C&C Protocol of the ZeroAccess Botnet
http://www.virusbtn.com/pdf/conference_slides/2012/Morris-VB2012.pdf