ZeroAcces rootkit dominates, adds new persistence techniques
Posted on 02.08.2013
According to a recent report by Alcatel-Lucent subsidiary Kindsight, as much as 10 percent of home networks and over 0.5 percent of mobile devices are infected with malware, and the ZeroAccess botnet continues to be the most common malware threat, infecting 0.8 percent of broadband users.


The ZeroAcces (or Sirefef) rootkit ropes the infected computer into a huge peer-to-peer botnet that is currently being used for click fraud and Bitcoin mining. The rootkit is also capable of downloading additional malware.

A ZeroAccess is almost benign when compared with instances of information-stealing and banking malware - the main symptom of a computer being infected with it is that online searches via Google Search often lead to unhelpful pages filled with ads and equally useless links, which generates revenue for the its controllers and mild irritation for its victims.

The ZeroAccess botnet is continually growing, and there are many reasons behind its success. For one, the botmasters are using a lucrative Pay-Per-Install affiliate scheme to distribute the droppers. Secondly, it takes months for some users to notice that their computers are compromised.

Thirdly, the rootkit's authors are constantly improving the malware and, according to Sophos' James Wyke, the latest update includes interesting new techniques to ensure that the malware is present and starts working every time the infected computer is powered up.

Instead of storing its files in folders in the Recycle Bin and then modifying them so the user can't read from or write to them, the new ZeroAccess version drops them into the Program Files folder AND the user's local AppData area.

The files are additionally masked by the name of the folder in which they are contained, which bears Google's name, and filenames containing Unicode and right-to-left override characters that makes them both impossible for Windows to display and to find via Explorer. In addition to all this, the malware also repeats the scheme that makes it difficult for the inexperienced user to access the folder.

The payload has remained the same, and the botnet still mainly concentrates on click fraud, but it's obvious that the malware is still under active development, and we can expect ZeroAccess to be a problem for a while yet.









Spotlight

Infographic: 25 years of the firewall

Posted on 24 July 2014.  |  The firewall turned 25, and McAfee is celebrating with an infographic that creatively depicts its lifetime. If you take a moment to scan the infographic, youíll notice the firewall's introduction and evolution coincide with certain security events.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 25th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //