ZeroAccess Rootkit Detection


A quick short overview of ZeroAccess Rootkit, The malware Propagates via Exploit packs (blackhole) and Keygens.
It escalates priveliges by faking UAC for Flash Player installer where in it drops malicious dll filer in the flashplayer installer directory which will be loaded instead of legitimate dll file in system root directory (old flaw in windows). As user accepts the UAC thinking its a genuine flash player installation, Zero access rootkit is installed as bonus.

It lowers security of infected machine by disabling Windows Security Services. It also replaces driver files in system root directory.

It then downloads config file from algorithm generated domain whose tld is .cn and downloads the config file.

It communicates to P2P botnet using commands “getL”, “getF”, “srv?”

In order to detect the config file request, i analyzed the URL which are cn domain and domain name is non readable such as, Also As i tested sample set of ZeroAccess Rootkit domians on Bluecoat, These domains fall into below categorization ‘Suspicious’ , ‘Malicious Sources’,”Malicious Botnets”,’none’.
As the domains are generated there is good probability that there is no rating for those domains.

Our TakeAways:
1) As P2P communication is not on 80,443 which will be blocked on any organizations network, damage will be reduced.
2) I have included below Pattern to Suspicious URL Pattern Query.
(web_host like ‘’ and url like ‘%.php?_=%’ and (“filter” like ‘Suspicious’ or “filter” like ‘%Malicious%’ or “filter” like ‘none’))

3) I would recommend to block suspicious domains such as .cn, .ru, .cc, .su whose Proxy rating as “none”

The ZeroAccess rootkit


About wikihead

A Seeker. Information Security Professional, Pursuing Life with Ayurveda.
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s