• Total Posts: 28069
  • Total Topics: 8067
  • Online Today: 964
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: ZeroAccess Misleads Memory-File Link  (Read 994 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 714
  • KARMA: 114
  • Gender: Male
  • Pez
ZeroAccess Misleads Memory-File Link
« on: 11. July 2012., 08:47:02 »

ZeroAccess Misleads Memory-File Link

ZeroAccess, a kernel-mode rootkit, recently shifted its infection technique from kernel mode to user mode. (For more on ZeroAccess, which turns infected systems into a peer-to-peer botnet, read these posts from my colleagues Peter Szor and Aditya Kapoor.) Even in user mode, ZeroAccess can maintain its presence on an infected system.

ZeroAccess implements what I call file disassociation, which means it modifies memory-loaded objects into a file—in this case either explorer.exe or services.exe. This association of memory into a file is basically stored through LDR_DATA_TABLE_ENTRY. (For more on file-/memory-disassociation techniques, see our Virus Bulletin entry Predicting The Future of Stealth Attacks.)

LDR_DATA_TABLE_ENTRY is a process structure under Windows that works similarly to a table of contents or index of a book. All programs, libraries, and other files used by a running application are tracked under this double-linked list process structure in memory. (Click here for a general overview on Windows processes.)

               +0×000 InLoadOrderLinks : _LIST_ENTRY
              +0×008 InMemoryOrderLinks : _LIST_ENTRY
              +0×010 InInitializationOrderLinks : _LIST_ENTRY
              +0×018 DllBase : Ptr32 Void
              +0x01c EntryPoint : Ptr32 Void
              +0×020 SizeOfImage : Uint4B
              +0×024 FullDllName : _UNICODE_STRING
                            +0×000 Length :
                            +0×002 MaximumLength :
                            +0×004 Buffer :
              +0x02c BaseDllName : _UNICODE_STRING
              +0×034 Flags : Uint4B

ZeroAccess acquires its own LDR_DATA_TABLE_ENTRY via the API LdrFindEntryForAddress.

              .text:4567187D lea eax, [ebp+arg_0]
              .text:45671880 push eax
              .text:45671881 push [ebp+arg_0]
              .text:45671884 call dword ptr ds:LdrFindEntryForAddress
; acquires its own LDR_DATA_TABLE_ENTRY in the process

Once acquired, ZeroAccess verifies the length and does a wide-character-string copy of the hardcoded string “c:\\windows\system32\\n” into the FullDllName.Buffer

              .text:45671891 cmp word ptr [eax+24h], 2Ch ; check length
              .text:45671896 jb short loc_456718B2
              .text:45671898 push offset aCWindowsSystem ; “c:\\windows\\system32\\n”
              .text:4567189D push dword ptr [eax+28h] ; wchar_t * – buffer
              .text:456718A0 call ds:wcscpy

ZeroAccess has two key tactics. It:

•Fools users into thinking the malware is hidden in “c:\windows\system32\n”
•Removes references to the malware’s location as seen in process memory
McAfee antimalware products will detect and clean this threat from infected systems. As always, keep your products updated to protect against such threats.

Orginal article: Tuesday, July 10, 2012 at 9:24am by Lennard Galang
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

ZeroAccess Misleads Memory-File Link
« on: 11. July 2012., 08:47:02 »


  • SCF Administrator
  • *****
  • Posts: 7152
  • KARMA: 291
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum
Re: ZeroAccess Misleads Memory-File Link
« Reply #1 on: 15. July 2012., 06:10:48 »
Thanks for warning pal.  :thumbsup:


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising