ZeroAccess is still around and seems to be growing, albeit not as fast as a month or two ago. The coders of ZeroAccess seem to have made major changes to the bot. It uses all new protocols to communicate, drops to a different location, uses different startup methods, and seems to be moving away from kernel-mode and operates mostly in user-mode in both 32 and 64 bit versions. SophosLabs goes into much more detail here
The bot now uses ports 16464 and 16465 by the 32-bit and 64-bit versions of one botnet; ports 16470 and 16471 are used by the 64-bit and 32-bit versions of the other botnet. This shows that there are 4 distinct and separate botnets, wether they are operated by the same person or group is unknown at this time.
The bot also drops to a new location, while it used to drop at symlink dir or %APPDATA%, it now drops at %APPDATA%, Windows/installer, or recycle bin.
The new version, rather than overwriting a driver, it hijacks a COM object and/or patches services.exe. This seems to be a much more stable and more permanent way to do it.
Both x64 and x86 bit versions of the bot also seem to be doing everything in the user-mode rather than kernel-mode, while in previous versions, x86 used kernel. There are still some new samples that use kernel-mode, but not nearly as many as before.
Part 2 will cover where and how many are infected and finally part 3 will be removal and prevention.
Please comment with any questions and I will do my best to answer.
Credits:
THN
SophosLabs
No comments:
Post a Comment