Scrutinizing the Long Time Dangerous ZeroAccess Rootkit
SophosLabs reports ZeroAccess a kind of perilous malicious program, which has been circulating across the Web ever-since long. Lately, the security company observed a sharp hike in all computers that contracted the ZeroAccess infection since samples have been propagating wildly online.
During its presence on the Web, ZeroAccess has undergone several alterations such as in its functionalities, contamination methods as also its efforts for remaining on the target computer. Yet, the basic objective it aims for has always been the same i.e. to compromise the target system wholly after making it a part of the ZeroAccess network of bots so more malware can be downloaded onto the zombie.
Essentially, one kernel type of rootkit, ZeroAccess has similarities with TDL rootkits. Thus, by employing sophisticated methods it conceals its presence; bears the capability of working on both of Windows 64 and 32-bit platforms based on just one installer; carries dynamic ability for self-defense as well as functions like an advanced medium for delivering malware.
ZeroAccess further resembles other currently proliferating sophisticated malicious programs and with respect to its infection vectors. Albeit ZeroAccess doesn't straight away exploit software flaws, the malware frequently gets disseminated through the BlackHole or Nice Pack exploit kits that typically take advantage of various security flaws. Importantly, users should deploy an all-inclusive patching policy taking care of their Web-browser, the operating system as well as the browser plug-ins.
As said, the rootkit ZeroAccess has backdoor features. Following a method, Conficker widely used, ZeroAccess too lists multiple C&C servers for establishing contact and accepting commands. Consequently, tracing of the servers becomes increasingly hard as also preventing the malware's message exchanges. Meanwhile ZeroAccess, when loaded helps in diverting the web-traffic of an end-user as in diverting his search results onto websites, which generate revenue for the online crooks running the ZeroAccess botnet.
Moreover, for ZeroAccess to hide its presence on any target computer, one of the methods it mostly uses is including a driver that reads the hard disk, while disguising its own rootkit files effectively. Additionally, ZeroAccess accumulates these files inside an encrypted folder it constructs within Windows' system directory.
Related article: Securities Push Up A Must For Web Companies
» SPAMfighter News - 25-04-2012