The Zeroaccess trojan (Maxx++, Sierief, Crimeware) has affected millions of computers worldwide, and it is the number one cause of cyber click fraud and Bitcoin mining on the Internet.
Once the trojan has been delivered into the system, it begins to download many other types of malware that can each cause a great deal of damage to an organization.
The trojan’s primary infection vector is spam mail and exploits kits, but it can also be distributed by P2P file sharing services and fake cracks and keygens. The trojan is unique in the fact that it connects to a P2P botnet chain that makes it very difficult to dismantle the botnet as a whole.
Zeroaccess is a trojan rootkit that uses advanced cloaking mechanisms to evade detection and capture. It has the ability to hide itself from several types of antivirus software and its presence in the system is extremely difficult to ascertain.
It leaves no trace evidence indicating a data breach, and the network communications continue to occur as from a legitimate system process. Usually the executable file will reside in the %TEMP% directory of the workstation, and the traffic to external websites will be encoded HTTP GET and POST requests.
Zeroaccess, once in the system, can carry out a wide variety of tasks, including:
- Use the infected computer for click fraud and Bitcoin mining
- Open the door to many other types of malware infecting the system
- Hide itself within the system without being detected
- Extract victim information including name, hostname, machine name, account name, etc.
Analysis
Zeroaccess malware can be downloaded from kernelinfo.com. In this case, the malware was downloaded intentionally for analysis.
As in all analysis, the first step is to isolate the affected system. After this, the entire system is scanned for malicious content. At first glance, nothing concrete was found, but on further analysis a file is found in the %TEMP%directory of the infected workstation.
Another suspicious file is also found within the %SYSTEM% directory on the workstation. This file appeared to be a configuration file of some kind, and it was protected using ACL permissions.
The executable is extracted and run on a sandbox and comes up with confirmation of network indicators. The results also clearly indicate that the file was the dropper component for the Zeroaccess trojan.
The name of the file is found to be fvshis.sav, and the contents of the file are encrypted. The strings of the executable were extracted from the memory and several artifacts were found that confirmed that the dropper received was the 32 bit version of the Max++ dropper component:
Later, the dropper component of the trojan was analyzed, and at first glance the file appears to be unpacked:
However, during static analysis it is found that the file is packed using a complex custom packer. The executable also employs a complex anti-debugging scheme to further complicate analysis:
The INT 2 signal is an operating system interrupt that allows the program to be debugger aware, i.e the program can detect if it is being analyzed by a debugger and kill itself. This can hinder analysis of such executables.
The packing scheme employed by this particular trojan is also very complex, as it makes use of several layers of crypting and packing:
It is found that the dropper component makes use of a complex packing scheme. The unpacking scheme works in chunks, with each chunk having a line of anti-debugging code.
The dropper will continue to unpack itself in this manner until the entire file has been unpacked. If an analyst tries to break into the cycle with a debugger, the executable will crash the debugger.
On much greater efforts, the sample was unpacked, and it was found that the sample attempts to access several directories on the host computer:
From the usage of the INT 2 instruction in the code, we realize that the sample is a Ring zero rootkit, i.e it runs in kernel mode. Memory analysis was done on the sample and found that it creates a Mutex in memory.
Such Mutexes are used by malware to ensure that the system is not re-infected with the same sample again:
It is found that the trojan has injected itself into a legitimate process (explorer.exe) and is using this process to execute its payload:
Later, kernel mode artifacts in memory were looked for, and it was found that the malware sample has hidden itself in the system as a kernel module:
The trojan disguises itself as a device driver in the kernel memory. The driver is called B48DADF8.sys. Dump this module for further analysis:
During preliminary analysis, the suspicious network traffic leaving the infected system was found, and this is analyzed in greater detail:
HTTP requests to one domain in particular are also seen:
The dropper is clearly trying to contact the above domain to download other malware samples into the infected system, and the domain name was analyzed:
.
The resolved C&C IP address appears to be in Zurich, Switzerland. Swiss law protects the privacy of its citizens to a great extent. This makes it a very popular location for bulletproof hosting providers. Bulletproof hosting is very popular with cybercriminals for hosting their C&C servers:
Further analysis into the domain shows that the domain actually maps to 3 different IP addresses including the one given above. All of the domains are in locations with strong privacy laws:
We found that all three IP addresses have been blacklisted as malicious:
- 141.8.225.62 (Switzerland)
- 199.79.60.109 (Cayman Islands)
- 208.91.196.109 (Cayman Islands)
Although this particular trojan does not steal user information, we found that it generates a large amount of traffic from its click fraud and Bitcoin mining modules.
Recommendations
- Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
- Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
- Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
- Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
- Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
- Do not click suspicious advertisements and banners while browsing the web.
- Make use of log analysis tools (SIEM) for greater visibility against file and network changes within your organization.
- Ensure that your antivirus solution is up to date with the latest virus definitions.
- Ensure that your systems are up to date with the latest available patches, particularly the following vulnerabilities, as this trojan makes use of them to infect systems.
- CVE-2006-0003
- CVE-2008-2992
- CVE-2009-0927
- CVE-2009-1671
- CVE-2009-1672
- CVE-2009-4324
- CVE-2010-1885
- Ensure that your organization uses email gateways to filter spam messages and mails with malicious attachments.
- Do not click on links in email from unknown sources
- Do not allow any P2P file sharing software in your corporate network environment.
- Block traffic to the following addresses in your perimeter devices such as Firewalls and IDS/IPS solutions.
- 141.8.225.62
- 208.91.196.109
- 199.79.60.109
'malware ' 카테고리의 다른 글
Analysis of a MICROSOFT WORD INTRUDER sample: execution, check-in and payload delivery (0) | 2015.05.01 |
---|---|
Dalexis/CTB-Locker malspam campaign (0) | 2015.05.01 |
Andromeda – An attack kill chain analysis (0) | 2015.04.30 |
테슬러 사이트 웹변조에 대한 분석 (0) | 2015.04.30 |
An interesting case of the CVE-2014-8439 exploit (0) | 2015.04.28 |