The ZeroAccess rootkit

Page ← Prev | 1 | 2 | 3 | 4 | Next →

A technical paper by James Wyke, SophosLabs, UK


The ZeroAccess rootkit is a dangerous threat that has been circulating for several years. SophosLabs has recently seen the number of machines infected with ZeroAccess increase sharply as there has been a proliferation of samples appearing in the wild.

Unique samples graph

In the time that ZeroAccess has been in the wild there have been a number of revisions, with modifications to its functionality, infection strategy and its persistence mechanisms on an infected machine. However, the core purpose has remained: to assume full control of the machine by adding it to the ZeroAccess botnet and to monetize the new asset by downloading additional malware.

Primarily, ZeroAccess is a kernel-mode rootkit, similar in ethos to the TDL family of rootkits. It uses advanced techniques to hide its presence, is capable of functioning on both 32 and 64-bit flavors of Windows from a single installer, contains aggressive self defense functionality and acts as a sophisticated delivery platform for other malware.


Infection vectors for ZeroAccess are very similar to other high profile malware families currently circulating in the wild. Although not entirely comprehensive, the main distribution methods for ZeroAccess can be split into two categories: exploit packs and social engineering.

Exploit packs

ZeroAccess has become an increasingly popular payload to the various Exploit Packs currently on the market, in particular Blackhole. An exploit pack typically comes as a series of php scripts that are stored on a web server under the control of the attacker. When a victim’s browser accesses the loaded website the server backend will attempt to exploit a vulnerability on the target machine and execute the payload. Exploit packs usually contain a great many different exploits targeting applications commonly found on Windows PCs such as Internet Explorer, Acrobat, Flash and Java.

Traffic is driven to websites hosting exploit packs through a variety of means. A common method is through the use of legitimate sites that have been compromised by the attacker (often through stolen FTP credentials or SQL injection). They are then used to both host the exploit packs themselves and as redirectors to the main attack site. Typically, small amounts of JavaScript code are inserted into pages of a compromised website that will send the user to the attack site.

Ad servers have also been compromised in this way which can result in widespread infection very quickly if the ads are served to high profile websites. SEO (Search Engine Optimisation) techniques are used to drive compromised websites up search engine rankings, increasing the traffic that gets sent to the attack site.

We have also seen this delivery method initiated through email; an email is spammed out containing a link that, when clicked, sends the victim to a compromised website hosting an exploit pack.

Exploit packs as an infection vector for ZeroAccess are very effective and usually require no input from the victim other than browsing to an apparently legitimate website or clicking an innocuous-seeming link.

Social engineering

The second main infection vector for ZeroAccess is through a variety of social engineering techniques. At the heart of these is the goal of convincing a victim into running an executable that they should not. The lure is often a piece of illicit software such as a game or a copyright protection bypassing tool such as a crack or keygen. These Trojanised files are placed on upload sites and on torrents and given filenames designed to trick the unwary into downloading and running them.

The following is an example of a file purporting to be a keygen for DivX Plus 8.0 for Windows. The file would be placed onto upload sites or offered as a torrent. The file is in fact an NSIS self extractor that contains the advertised keygen program but also contains an encrypted 7zip file. When executed the self extractor unpacks the keygen program to ‘%Profile%\Application Data\Keygen.exe‘ and executes it:

figure 1

But in the background the 7zip file is dropped, extracted and the single file inside (the ZeroAccess dropper) is executed. By observing API calls the 7zip password can be ascertained:

figure 2

Here is an example where the lure was a copy of the game ‘Skyrim‘. Again the installer is an NSIS archive. This time a file is dropped to ‘%Profile%\Application Data\skyrimlauncher.exe‘ and a screen is shown that purports to be the game installer:

figure 3

But once again in the background an encrypted 7Zip file is dropped, extracted and the contents executed, installing ZeroAccess.


ZeroAccess droppers have changed as the rootkit itself has evolved. Currently, droppers are usually packed with one from a group of complex polymorphic packers.

These packers are a typical example of the protection measures that modern malware employs to both hinder analysis and to attempt to avoid detection by security tools. They are updated several times a day and are always checked against AV scanners before they are released into the wild.

The packers contain a great many anti-emulation and anti-debug techniques designed to defeat emulators inside AV engines and to make analysis inside a controlled environment more difficult. The dropper has recently been using hardware breakpoints as part of its unpacking routine which makes attaching a kernel debugger to the target system (necessary to analyse the kernel-mode components) more challenging.

An interesting feature of ZeroAccess droppers is that a single dropper will install the 32-bit or the 64-bit version of the malware depending on which OS it is executed under.

Page ← Prev | 1 | 2 | 3 | 4 | Next →

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s