Home
Forums
New posts
Search forums
What's new
New posts
New profile posts
Latest activity
Members
Current visitors
New profile posts
Search profile posts
Log in
Register
What's new
Search
Search
Search titles only
By:
New posts
Search forums
Menu
Log in
Register
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Reply to thread
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Message
<blockquote data-quote="Brianwill" data-source="post: 598" data-attributes="member: 15"><p><strong>ZeroAccess</strong></p><ul> <li data-xf-list-type="ul"><strong>Brief description:</strong> Trojan Downloader, spammer, and miner</li> <li data-xf-list-type="ul"><strong>Years of life:</strong> 2009–2013</li> <li data-xf-list-type="ul"><strong>Number of infections:</strong> 9 million</li> <li data-xf-list-type="ul"><strong>Distribution method:</strong> exploit pack</li> </ul><p>The history of ZeroAccess in the rootkit chronicle began in June 2009. At that time, there was an interesting sample with a string in F:\VC5\release\ZeroAccess.pdbthe rootkit driver. So the name ZeroAccess is copyright. There were others, of course: ZeroAccess is also known as Smiscer and Sirefef.</p><p></p><p>An interesting feature of ZeroAccess is "live bait fishing" for breaking off antivirus programs. In addition to its main driver, the rootkit, the bot had an additional kernel driver for creating a decoy-an object that antivirus programs and other supposedly protective mechanisms pecked at. This driver created the device \Device\svchost.exeand stored the dummy BINAR at the address \Device\svchost.exe\svchost.exe. Access to this pseudo-file was monitored by a rootkit. If something hit the bait, ZeroAccess killed the process by injecting code into it that called ExitProcess(). And to prevent subsequent launches of the program that got caught, ZeroAccess reset the ACL for its executable file to prohibit reading and execution. Thus, once caught, the antivirus could no longer start.</p><p></p><p>In January 2010, the creators of ZeroAccess rolled out an update that enriched ZeroAccess with new features. For this purpose (surprise!), the resources of the Russian Business Network were used. In this version, an obvious borrowing of the ideas of the older TDL-3 rootkit became more noticeable: the launch was now performed through driver infection, and hidden storage in a separate hard disk partition was used to store rootkit components.</p><p></p><p>Until April 2011, 64-bit versions of Windows were relatively safe and did not get infected with ZeroAccess. However, in may, with the next update, this annoying omission was corrected, but not very technologically. The fact is that in the 32-bit version, the rootkit worked at the kernel level, and in the 64-bit environment, everything worked in user space. Apparently, the authors decided not to bother with bypassing the driver signature verification and made such a crutch.</p><p></p><p>To increase survivability, we added TCP-based P2P for distributing our modules, as well as a list of initial peers, which contained 256 supernode IP addresses. Antivirus analysts note that this version began to load two types of payload for click fraud and mining.</p><p></p><p>As time went on. More and more people have switched to 64-bit operating systems, which make it difficult to develop a nuclear rootkit. In may 2012, the kernel driver was closed, and now all work took place in usermode. The algorithm of the peer-to-peer network has also changed slightly, and the length of the RSA key has been doubled-from 512 to 1024 bits. Previously, peer-to-peer connections went only over TCP, but now the list of IP addresses was requested over UDP, and the list of modules was requested over TCP. As before, there was still a division according to the type of payload: there was a clickfraud or mining module to choose from.</p><p></p><p>The ZeroAccess example illustrates the principle of Occam's razor-don't multiply entities unnecessarily, or, in a simple way, don't complicate them. ZeroAccess started out as a technological development, then the rootkit fell off in the course of evolution, but the botnet continued to live and even got such a fashionable feature as P2P.</p><p></p><p>Sophos estimates that the number of computers infected by the bot at the end of summer 2012 was more than 9 million, and active infections — about a million. According to experts, the ZeroAccess botnet was the most active in 2012.</p><p></p><p>Antivirus companies, of course, did not ignore the existence of the botnet and actively looked for methods of intrusion through the ZeroAccess peer-to-peer Protocol to disable it. In March 2013, engineers from Symantec took up the task and successfully discovered a vulnerability in the botnet Protocol, which allowed, although with great difficulty, to disrupt its work.</p><p></p><p>At the same time, monitoring of botnet activity continued, and on June 29, Symantec specialists noticed that a new version of ZeroAccess was being distributed through the peer-to-peer network. The updated version contained certain changes that closed the vulnerability found earlier. This, it seems, prompted the operation to capture the botnet, which started on July 16. The researchers tried to have time to take control before the update arrived on all nodes. As a result, more than half a million bots left the botnet.</p><p></p><p>But even greater success was achieved by whitehats from Microsoft: in December 2013, together with the law enforcement agencies of different countries, they disrupted the work of ZeroAccess, taking control of C&C. Law enforcement officers received search and seizure orders for servers that responded to 18 IP addresses and from which the botnet was managed. After this operation, the bots received the latest update from the authors with the WHITE FLAG message. In short, the botnet gave up.</p><p></p><p>Technically, the botnet is still alive, but it will never receive updates again, as the command servers have sunk into Oblivion. The bot is not updated, the detection rate is constantly growing, and more and more antivirus programs are disabling it. But we can't rule out that developers are currently working on a new version of ZeroAccess</p></blockquote><p></p>
[QUOTE="Brianwill, post: 598, member: 15"] [B]ZeroAccess[/B] [LIST] [*][B]Brief description:[/B] Trojan Downloader, spammer, and miner [*][B]Years of life:[/B] 2009–2013 [*][B]Number of infections:[/B] 9 million [*][B]Distribution method:[/B] exploit pack [/LIST] The history of ZeroAccess in the rootkit chronicle began in June 2009. At that time, there was an interesting sample with a string in F:\VC5\release\ZeroAccess.pdbthe rootkit driver. So the name ZeroAccess is copyright. There were others, of course: ZeroAccess is also known as Smiscer and Sirefef. An interesting feature of ZeroAccess is "live bait fishing" for breaking off antivirus programs. In addition to its main driver, the rootkit, the bot had an additional kernel driver for creating a decoy-an object that antivirus programs and other supposedly protective mechanisms pecked at. This driver created the device \Device\svchost.exeand stored the dummy BINAR at the address \Device\svchost.exe\svchost.exe. Access to this pseudo-file was monitored by a rootkit. If something hit the bait, ZeroAccess killed the process by injecting code into it that called ExitProcess(). And to prevent subsequent launches of the program that got caught, ZeroAccess reset the ACL for its executable file to prohibit reading and execution. Thus, once caught, the antivirus could no longer start. In January 2010, the creators of ZeroAccess rolled out an update that enriched ZeroAccess with new features. For this purpose (surprise!), the resources of the Russian Business Network were used. In this version, an obvious borrowing of the ideas of the older TDL-3 rootkit became more noticeable: the launch was now performed through driver infection, and hidden storage in a separate hard disk partition was used to store rootkit components. Until April 2011, 64-bit versions of Windows were relatively safe and did not get infected with ZeroAccess. However, in may, with the next update, this annoying omission was corrected, but not very technologically. The fact is that in the 32-bit version, the rootkit worked at the kernel level, and in the 64-bit environment, everything worked in user space. Apparently, the authors decided not to bother with bypassing the driver signature verification and made such a crutch. To increase survivability, we added TCP-based P2P for distributing our modules, as well as a list of initial peers, which contained 256 supernode IP addresses. Antivirus analysts note that this version began to load two types of payload for click fraud and mining. As time went on. More and more people have switched to 64-bit operating systems, which make it difficult to develop a nuclear rootkit. In may 2012, the kernel driver was closed, and now all work took place in usermode. The algorithm of the peer-to-peer network has also changed slightly, and the length of the RSA key has been doubled-from 512 to 1024 bits. Previously, peer-to-peer connections went only over TCP, but now the list of IP addresses was requested over UDP, and the list of modules was requested over TCP. As before, there was still a division according to the type of payload: there was a clickfraud or mining module to choose from. The ZeroAccess example illustrates the principle of Occam's razor-don't multiply entities unnecessarily, or, in a simple way, don't complicate them. ZeroAccess started out as a technological development, then the rootkit fell off in the course of evolution, but the botnet continued to live and even got such a fashionable feature as P2P. Sophos estimates that the number of computers infected by the bot at the end of summer 2012 was more than 9 million, and active infections — about a million. According to experts, the ZeroAccess botnet was the most active in 2012. Antivirus companies, of course, did not ignore the existence of the botnet and actively looked for methods of intrusion through the ZeroAccess peer-to-peer Protocol to disable it. In March 2013, engineers from Symantec took up the task and successfully discovered a vulnerability in the botnet Protocol, which allowed, although with great difficulty, to disrupt its work. At the same time, monitoring of botnet activity continued, and on June 29, Symantec specialists noticed that a new version of ZeroAccess was being distributed through the peer-to-peer network. The updated version contained certain changes that closed the vulnerability found earlier. This, it seems, prompted the operation to capture the botnet, which started on July 16. The researchers tried to have time to take control before the update arrived on all nodes. As a result, more than half a million bots left the botnet. But even greater success was achieved by whitehats from Microsoft: in December 2013, together with the law enforcement agencies of different countries, they disrupted the work of ZeroAccess, taking control of C&C. Law enforcement officers received search and seizure orders for servers that responded to 18 IP addresses and from which the botnet was managed. After this operation, the bots received the latest update from the authors with the WHITE FLAG message. In short, the botnet gave up. Technically, the botnet is still alive, but it will never receive updates again, as the command servers have sunk into Oblivion. The bot is not updated, the detection rate is constantly growing, and more and more antivirus programs are disabling it. But we can't rule out that developers are currently working on a new version of ZeroAccess [/QUOTE]
Name
Verification
Post reply
Home
Forums
CARDING & HACKING
HOSTING & BOTNET
Botnet
Top