ZeroAcces rootkit dominates, adds new persistence techniques
Posted on 02.08.2013
According to a recent report by Alcatel-Lucent subsidiary Kindsight, as much as 10 percent of home networks and over 0.5 percent of mobile devices are infected with malware, and the ZeroAccess botnet continues to be the most common malware threat, infecting 0.8 percent of broadband users.


The ZeroAcces (or Sirefef) rootkit ropes the infected computer into a huge peer-to-peer botnet that is currently being used for click fraud and Bitcoin mining. The rootkit is also capable of downloading additional malware.

A ZeroAccess is almost benign when compared with instances of information-stealing and banking malware - the main symptom of a computer being infected with it is that online searches via Google Search often lead to unhelpful pages filled with ads and equally useless links, which generates revenue for the its controllers and mild irritation for its victims.

The ZeroAccess botnet is continually growing, and there are many reasons behind its success. For one, the botmasters are using a lucrative Pay-Per-Install affiliate scheme to distribute the droppers. Secondly, it takes months for some users to notice that their computers are compromised.

Thirdly, the rootkit's authors are constantly improving the malware and, according to Sophos' James Wyke, the latest update includes interesting new techniques to ensure that the malware is present and starts working every time the infected computer is powered up.

Instead of storing its files in folders in the Recycle Bin and then modifying them so the user can't read from or write to them, the new ZeroAccess version drops them into the Program Files folder AND the user's local AppData area.

The files are additionally masked by the name of the folder in which they are contained, which bears Google's name, and filenames containing Unicode and right-to-left override characters that makes them both impossible for Windows to display and to find via Explorer. In addition to all this, the malware also repeats the scheme that makes it difficult for the inexperienced user to access the folder.

The payload has remained the same, and the botnet still mainly concentrates on click fraud, but it's obvious that the malware is still under active development, and we can expect ZeroAccess to be a problem for a while yet.









Spotlight

The evolution of backup and disaster recovery

Posted on 25 July 2014.  |  Amanda Strassle, IT Senior Director of Data Center Service Delivery at Seagate Technology, talks about enterprise backup issues, illustrates how the cloud shaping an IT department's approach to backup and disaster recovery, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Jul 28th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //