Members
  • Total Members: 14197
  • Latest: Levine
Stats
  • Total Posts: 43445
  • Total Topics: 16537
  • Online today: 2848
  • Online ever: 51419
  • (01. January 2010., 10:27:49)
Users Online
Users: 1
Guests: 2837
Total: 2838









Author Topic: Targeting ZeroAccess Rootkit’s Achilles’ Heel  (Read 5408 times)

0 Members and 1 Guest are viewing this topic.

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Targeting ZeroAccess Rootkit’s Achilles’ Heel
« on: 02. May 2012., 09:32:46 »
"Note ! this is a McAfee article, with many references to McAfee tecnologies."


Targeting ZeroAccess Rootkit’s Achilles’ Heel


Proliferation
ZeroAccess is one of the most talked and blogged, [1] [2] about rootkits in recent times. It is also one of the most complex and highly prevalent rootkits we have encountered, and it is continuing to evolve. The ZeroAccess rootkit is distributed via both social engineering as well as by exploitation. A recent blog post by our colleagues at McAfee describes some of the odd methods this rootkit adopts to get installed on machines without getting noticed.

One of the goals of this rootkit is to create a powerful peer-to-peer botnet, which is capable of downloading additional malware on the infected system. This botnet is reportedly [3] involved in click fraud, downloading rogue antivirus applications, and generating spam.

This Google map of the United States shows McAfee VirusScan consumer nodes reporting unique ZeroAccess detections during the past week.


Larger Image

Our consumer data for the past month shows close to 4,000 unique systems detecting ZeroAccess daily. And the trend is continuing upward.


Larger Image

Installation
In my recent analysis of this rootkit, I wanted to understand its initial installation mechanism. The installation of ZeroAccess involves overwriting a legitimate driver on disk with the malicious rootkit driver. Usually Step 1 varies in different variants. Some variants directly overwrite a legitimate driver and others first inject the malicious code in trusted processes like explorer.exe and then, from the injected code, overwrite the driver (this is done to bypass various security products and to make analysis more challenging). During Step 1, the original driver code is kept in memory. The driver that is overwritten in Step 2 is randomly selected (details here [1]). In our discussion below we assume CDROM.sys is being overwritten. Step 2 to Step 8 are fairly static in variants of ZeroAccess. Once the driver is overwritten by malicious code, it is loaded in kernel space. The first task of the kernel mode code is to ensure that it sets up the malware to survive reboots and to forge the view of overwritten driver (CDROM.sys).

Lets move on to see how this scheme works in Step 5 through Step 8. In Step 5,  ZeroAccess intercepts disk i/o by hooking the DeviceExtension->LowerDeviceObject field in the \driver\disk DEVICE_OBJECT. So now any disk i/o would go through the rootkit’s malicious routine. In Step 6, the kernel mode code has access to a clean image of the CDROM.sys driver stored in memory. To survive reboots it flushes the file to disk using the ZwFlushVirtualMemory API. The request to flush the clean image is, interestingly, sent to the file CDROM.sys, which at first glance looks counterintuitive. Why would the rootkit want to write the clean image to the file it just infected in Step 2?  Looking more closely, the rootkit actually uses its disk i/o redirection framework. So, when this request to store the clean image of the file on disk travels through the virtual driver stack shown in Step 7, it is encrypted and redirected (Step  to the rootkits “protected” folder that it created in Step 3, instead of going to the actual CDROM.sys.


Larger Image

Once the original encrypted image of CDROM.sys is stored in the protected folder, the infection becomes persistent and can easily survive reboots. Any attempt to read the infected CDROM.sys would have to traverse the hijacked i/o path, in which the rootkit on the fly decrypts the original file from its protected storage and presents the clean image, thus forging the view of the file to security tools. Also, during a reboot the infected file would first load the malicious code in kernel, which can refer to its “protected” folder, and load the original file in kernel, thus ensuring the uninterrupted functionality of the original device.

To clean this threat, security tools have to take several steps in repairing either memory or decrypting the file in its protected folder so that they can restore the original file. Also once the rootkit is active in kernel mode, it takes lot of evasive steps to kill or circumvent the security tools as described by our colleagues in this Virus Bulletin article. So repair becomes even more challenging and research more costly.

Impact of real-time kernel monitoring
I tested for more than a year many variants of this rootkit family against McAfee’s Deep Defender technology, which provides real-time protection against unauthorized kernel-memory modifications. The following screenshot shows Deep Defender blocking the DeviceExtension hijack attempt in Step 5, which was critical to the rootkit’s survival. Once this hook was blocked, the machine was cleaned after a reboot, without any fancy repairs. This move shaved off days of reverse engineering and writing custom repairs against this rootkit and its multiple variants. It seems Deep Defender has found the Achilles heel of this rootkit.


Larger Image

How did Deep Defender clean the machine?
You did not miss part of this article. The interesting point is that Deep Defender did not have to do any custom repairs to clean this threat. It just blocked in real time the core functionality of the rootkit. Let’s revisit the attack strategy to understand what happened.


Larger Image

When the rootkit attempted to hijack the DeviceExtension pointer in Step 5, Deep Defender’s real-time kernel-memory protection saw the attempted change and recognized it as a malicious attempt to modify a critical structure and blocked the hijack attempt. With the hook gone, the rootkit could not hijack the disk i/o path, which means it could not store any files in its “protected” folder and could not survive any reboots without getting noticed. It certainly cannot forge the view of the file anymore. But the most interesting part is that the attempted hijack block by Deep Defender actually redirected the rootkit’s write attempt in Step 7 to its original location. So Step 8 would actually overwrite the original file that it just infected from user mode, thus forcing the rootkit to clean up for us. After a reboot, the system will be back in the clean state.

This strategy from Deep Defender works against all the current  ZeroAccess variants. It would be challenging for the rootkit authors to fully bypass this defense without either leaving the system in a corrupted state or being noticed by security tools, which would catch them red handed if they could no longer forge the view of the file.


Orginal article: Monday, April 30, 2012 at 4:17pm by Aditya Kapoor

Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Targeting ZeroAccess Rootkit’s Achilles’ Heel
« on: 02. May 2012., 09:32:46 »

Samker

  • SCF Administrator
  • *****
  • Posts: 7529
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: McAfee Deep Defender - download ?!
« Reply #1 on: 03. May 2012., 21:22:13 »

I can't find any link to download at least some trial version...  ???

McAfee Deep Defender: http://www.mcafee.com/us/products/deep-defender.aspx


jheysen

  • SCF Global Moderator
  • *****
  • Posts: 879
  • KARMA: 121
  • Gender: Male
Re: Targeting ZeroAccess Rootkit’s Achilles’ Heel
« Reply #2 on: 04. May 2012., 00:27:19 »
Weird that McAfee hasn't publicied any trial.... maybe on ePO? (That reminds me... I haven't run my local virtual ePO on weeks! D:)

Pez

  • SCF VIP Member
  • *****
  • Posts: 776
  • KARMA: 117
  • Gender: Male
  • Pez
Re: Targeting ZeroAccess Rootkit’s Achilles’ Heel
« Reply #3 on: 04. May 2012., 09:11:46 »

What I can find in this document " McAfee Deep Defender " ther seams to be somthing related to ePO.


" System Requirements
and Specifications
• Supports Intel® Core i3, i5, and
i7 processors
• Supports Windows 7; 32- and 64-bit
• 2 GB RAM (32-bit) or 4 GB RAM
(64-bit)
Managed by McAfee ePO software
4.5 or higher

• Intel Virtualization Technology (VT)
enabled in BIOS
• Internationalized and localized for
deployment worldwide

Tested for compatibility with the
following McAfee products:

• McAfee VirusScan Enterprise 8.7
or higher
• McAfee Application Control 5.x
• McAfee Endpoint Encryption for
PC 5, 5.2.6, 5.2.9, and 6.1
• McAfee Host DLP 9.x
• McAfee Host Intrusion Prevention 8.x
• McAfee Network Access Control 3.2"


I have found this Demo of Deep Defender
http://www.mcafee.com/us/resources/demos/demo-deep-defender.html

I have also found this "McAfee Releases Deep Defender and Deep Command as Extensions to ePO"

and this "Release Notes - McAfee Deep Defender 1.0"
So it seams to have been released under the ePO product.

Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing ! http://scforum.info/index.php/topic,8405.msg21475.html#msg21475

Samker's Computer Forum - SCforum.info

Re: Targeting ZeroAccess Rootkit’s Achilles’ Heel
« Reply #3 on: 04. May 2012., 09:11:46 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.codekids.ba:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Kursevi programiranja za ucenike u Sarajevu

Terms of Use | Privacy Policy | Advertising
TinyPortal 2.3.1 © 2005-2023