A quick short overview of ZeroAccess Rootkit, The malware Propagates via Exploit packs (blackhole) and Keygens.
It escalates priveliges by faking UAC for Flash Player installer where in it drops malicious dll filer in the flashplayer installer directory which will be loaded instead of legitimate dll file in system root directory (old flaw in windows). As user accepts the UAC thinking its a genuine flash player installation, Zero access rootkit is installed as bonus.
It lowers security of infected machine by disabling Windows Security Services. It also replaces driver files in system root directory.
It then downloads config file from algorithm generated domain whose tld is .cn and downloads the config file.
It communicates to P2P botnet using commands “getL”, “getF”, “srv?”
In order to detect the config file request, i analyzed the URL which are cn domain and domain name is non readable such as pnwjogba.cn, moayuetc.cn. Also As i tested sample set of ZeroAccess Rootkit domians on Bluecoat, These domains fall into below categorization ‘Suspicious’ , ‘Malicious Sources’,”Malicious Botnets”,’none’.
As the domains are generated there is good probability that there is no rating for those domains.
1) As P2P communication is not on 80,443 which will be blocked on any organizations network, damage will be reduced.
2) I have included below Pattern to Suspicious URL Pattern Query.
(web_host like ‘%.cn’ and url like ‘%.php?_=%’ and (“filter” like ‘Suspicious’ or “filter” like ‘%Malicious%’ or “filter” like ‘none’))
3) I would recommend to block suspicious domains such as .cn, .ru, .cc, .su whose Proxy rating as “none”