Technical paper: The ZeroAccess rootkit under the microscope

Filed Under: Data loss, Malware

Virus on computer, images courtesy of ShutterstockZeroAccess is a sophisticated kernel-mode rootkit that is quickly becoming one of the most widespread malware threats.

In a new technical paper from SophosLabs, malware researcher James Wyke explores the ZeroAccess threat, examines how it works and looks at what the malware's ultimate goal is.

ZeroAccess has a resilient peer-to-peer command and control infrastructure, runs on both 32-bit and 64-bit versions of Windows, and has been constantly updated with new functionality, allowing it to thrive on modern networks and operating systems.

From the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload, the technical paper offers a deep insight into how ZeroAccess works.

Read: ZeroAccess technical paper

Because people have asked - Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it:

1. Infected files will be detected and blocked as Mal/ZAccess-x, Troj/ZAccess-x, Mal/Sirefef-x or Troj/Sirefef-x , where x denotes an alphabetic suffix (e.g. -A, -B). On a properly-protected system, this should prevent infection in the first place.

2. Active processes will be reported and blocked by the Sophos run-time HIPS (Host Intrusion Detection System) as HPmal/ZAccess-A. This gives an extra layer of safety by providing proactive detection and prevention even of samples which evade detection in (1) above.

3. The Zero Access rootkit itself will be detected in kernel memory, and can be cleaned up, as Troj/ZAKmem-A. This means that the malware can be remediated even on systems where the rootkit is already active and stealthing.

Computer and virus images, courtesy of Shutterstock

, , ,

You might like

8 Responses to Technical paper: The ZeroAccess rootkit under the microscope

  1. Diddams · 1274 days ago

    Thank you! This is a really great paper, hope to see more of them. And thank you for adding the detection details ;)

  2. Faz · 1273 days ago

    Does your free virus removal tool also detect this rootkit ?

  3. Faz · 1270 days ago

    "Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it" - but does this also apply to the free virus removal toolkit you kindly provide for download ?

    Should we assume that no answer = the answer No ?

    • The free virus removal tool doesn't include a real-time component (so there's no "blocking"), but should be able to detect the malware.

      • Faz · 1269 days ago

        Thanks Graham. Very kind of Sophos to make that tool available for free download.

      • Guest · 1168 days ago

        The user named Faz also asked if the product "remediates" it. This is a key question and you did not address this.

        I just ran the free AV Removal tool and it identified 3 malwares, including this one and referred me back to sophos. So there was no remediation. What is the point, to identify and not fix? Might generate more sales if you'd at least point people in the direction of a product that works if the so-called "removal" tool doesn't actually "remove."

  4. Clive E · 1270 days ago

    Thanks for the report. Very useful. My XP SP3 desktop was infected by this problem last week. The report and your free virus remova tool have been very helpful.

    FYI.. You can see the directories that hide the files if you run Windows defragmentation. The files are lsited in the final report as ones that can't be accessed.
    I still need to get rid of theses files and folders.

  5. Jim · 1103 days ago

    Sophos did detect and remove, a competitor Kaspersky did not detect and I am most impressed that Sophos did. By the way the product Microsoft security essentials did not detect this threat result infection on the device. Thumbs up :)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Anna Brading is Naked Security's editor. She has worked in tech for more than ten years and as a writer with Sophos for over five. She's interested in social media, privacy and keeping people safe online.