How ZeroAccess Rootkit Takes Control Over PCs

To answer this question, it is necessary to look briefly at how this rootkit operates. The ZeroAccess rootkit is capable of differentiating between and installing on either Windows 32-bit or 64-bit operating systems. It selects one of two different methods of deploying, depending on the target system it finds itself presented with.

32-bit infection method

This infection uses kernel-mode code to hijack parts of the operating system after acquiring privilege escalation in the instal (the malware must elevate its privilege for successful installation for non-administrator accounts). This is done on systems enabled with UAC (User Account Control) by employing a clean, genuine pop-up such as Adobe Flash Installer to hide behind, installing simultaneously. The rootkit then overwrites a random driver, hiding the original driver and any further files it downloads on a part of the disk where applications do not run. These files are encrypted and disguised to look like a Microsoft patch directory, though impossible to read using standard Windows protocols. If an attempt to examine the infected driver is made, the original clean version will be substituted for inspection.

64-bit infection method

Encountering Windows 64-bit, kernel-mode code is not used. After it drops the Flash Installer to obtain privileges, the rootkit executes entirely in the user memory and reboot capability is via a file dropped in the user’s AppData folder and a registry entry it makes. This updated 64-bit-capable version of ZeroAccess conceals its files this time in the Global Assembly Cache (GAC) which is a collection of .NET assemblies that Windows uses. The files will not be found by casual browsing, though they can be viewed using the Cache Viewer with certain parameters applied (for technical data see the extensive research by Sophos).

ZeroAccess in control of C: drive?

Once these tasks have been carried out, the rootkit has the capability to communicate with other infected systems. This is carried out from either the kernel and/or elements written into the user memory in explorer.exe or svchost.exe. It uses an initial file of 256 compromised computers that already comprise part of a botnet – literally a robotic network working invisibly in the backgrounds of many disparate, compromised systems to accomplish the aims of the authors. Once this communication is established, the now functioning node in the botnet receives commands via its peers. At this point, the victim’s C: drive is potentially under total control of ZeroAccess for as long as the user’s system is powered-up and connected to the internet via a public IP address. This can be thought of as covert control

The operating system is now susceptible to ANY further malware the operators need to introduce in order to fulfill their intentions, and then take overt, or actual control if required. This particular rootkit infection has generally been kept covert, and used for delivery of the payloads it is commonly associated with – click frauds and spambots (the click-fraud version is usually detected using ports 21810 and 22292 – the spambot variant, port 34354). Whilst it is in the interests of the actors to remain undetected in their network in order to continue raising revenue – see the interesting research by Symantec, there is no doubt – with this rootkit in a system – who is really in control.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.