Technical paper: The ZeroAccess rootkit under the microscope

Virus on computer, images courtesy of ShutterstockZeroAccess is a sophisticated kernel-mode rootkit that is quickly becoming one of the most widespread malware threats.

In a new technical paper from SophosLabs, malware researcher James Wyke explores the ZeroAccess threat, examines how it works and looks at what the malware’s ultimate goal is.

ZeroAccess has a resilient peer-to-peer command and control infrastructure, runs on both 32-bit and 64-bit versions of Windows, and has been constantly updated with new functionality, allowing it to thrive on modern networks and operating systems.

From the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload, the technical paper offers a deep insight into how ZeroAccess works.

Read: ZeroAccess technical paper

Because people have asked – Yes, Sophos Anti-Virus can detect, block and remediate this rootkit and the various malware which uses it:

1. Infected files will be detected and blocked as Mal/ZAccess-x, Troj/ZAccess-x, Mal/Sirefef-x or Troj/Sirefef-x , where x denotes an alphabetic suffix (e.g. -A, -B). On a properly-protected system, this should prevent infection in the first place.

2. Active processes will be reported and blocked by the Sophos run-time HIPS (Host Intrusion Detection System) as HPmal/ZAccess-A. This gives an extra layer of safety by providing proactive detection and prevention even of samples which evade detection in (1) above.

3. The Zero Access rootkit itself will be detected in kernel memory, and can be cleaned up, as Troj/ZAKmem-A. This means that the malware can be remediated even on systems where the rootkit is already active and stealthing.

Computer and virus images, courtesy of Shutterstock