ZeroAccess: How to remove the latest version

   In my previous 2 posts I have highlighted the changes in the newer version of ZeroAccess and how to tell if you are infected, and who is at most risk. This post will cover how to get rid of this infection, and what tools to use to protect against it.

    The easiest way is to download one of many anti-virus programs, or removal tools. I always recommend ESET as they have always gotten the job done for me and my family. ESET has made a tool specifically to remove the ZeroAccess bot, one that is easy and completely free.

1. Download the tool here
2. Start the tool by double clicking it.
3. Press "Y" when it asks you if you want to restore system services
4. Once the tool has finished working, restart your computer by pressing any key.
5. You may be prompted with a security window upon restarting, click yes or allow
6. Click "Yes" on the repair window
7. Once the repair is finished, you will be prompted to restart again, do so.
8. For best results and to ensure complete removal, purchase ESET Smart Security or ESET Nod32 and run a full scan.

    As you can see, it is fairly simple to remove this virus, if you have any trouble, comments, or questions, let me know in the comments section (Don't be embarrassed, I have to approve comments, if you think it is a stupid question, just ask that I do not post the comment, and I will contact you directly.)

    The main way this bot spreads is through exploits, most of which are patched in the latest versions of the software they are designed to exploit, so make sure you apply regular updates, and don't visit shady sites. Also, I know it may be hard to refrain from pirating things like games, so I encourage you to only download "cracks" if there have been many downloads, even then, make sure to read the comments and do not download if it is reported to be infected, or not working correctly. Also remember that I do not condone pirating or any form of illegal downloads.

ZeroAccess: still alive and kicking. Part: 1/3

    ZeroAccess is still around and seems to be growing, albeit not as fast as a month or two ago. The coders of ZeroAccess seem to have made major changes to the bot. It uses all new protocols to communicate, drops to a different location, uses different startup methods, and seems to be moving away from kernel-mode and operates mostly in user-mode in both 32 and 64 bit versions. SophosLabs goes into much more detail here

    The bot now uses ports 16464 and 16465 by the 32-bit and 64-bit versions of one botnet; ports 16470 and 16471 are used by the 64-bit and 32-bit versions of the other botnet. This shows that there are 4 distinct and separate botnets, wether they are operated by the same person or group is unknown at this time.

    The bot also drops to a new location, while it used to drop at symlink dir or %APPDATA%, it now drops at %APPDATA%, Windows/installer, or recycle bin.

    The new version, rather than overwriting a driver, it hijacks a COM object and/or patches services.exe. This seems to be a much more stable and more permanent way to do it.

    Both x64 and x86 bit versions of the bot also seem to be doing everything in the user-mode rather than kernel-mode, while in previous versions, x86 used kernel. There are still some new samples that use kernel-mode, but not nearly as many as before.


Part 2 will cover where and how many are infected and finally part 3 will be removal and prevention.
Please comment with any questions and I will do my best to answer.


Credits:
THN
SophosLabs

ZeroAccess Part 3: How to stop it.

If you have read Part 1 and Part 2, you should have a pretty good idea of what ZeroAccess is and how dangerous it is. In this post, I will go through multiple methods of removal that I have found while searching the web.

1. Tools
1. cleanpcguide.com has a removal tool that you can download here
2. Use ESET's removal tool downloaded here
3. Use McAfee's RootkitRemover, available here
2. Manual Removal (as Provided by   http://www.cleanpcguide.com/remove-zeroaccess-removal-guide-how-to-remove-zeroaccess/ )
1. Stop ZeroAccess process using the windows task manager. (This will most likely be some random name, if you see a process that you do not recognize, right click and view location to find files associated with it, this will be needed in step 4, then end it.)
2. Uninstall ZeroAccess program from windows control panel Add/Remove Programs. (control panel --> Programs --> Remove/change, then find something you think looks fishy, or do not remember installing)
3. Open windows registry using regedit.exe command. Find and Remove all ZeroAccess Registry Files. (will usually be under the HKLM or HKCU run directory (startup registry))
4. Search for ZeroAccess Files on your computer and delete it. (files found in step 1)

If none of these work, the malwarbytes community is very helpful. You can ask for help here.

Tell me what you thought of this three part series, and remember to comment what I should blog about next.

ZeroAccess Part 2: What does it do?

First off, sorry this took so long. It is finals week so I have been quite busy.

Overview


ZeroAccess will install 2 different versions of itself depending on the system architecture (32 or 64 bit). Once it has dropped the correct version, and elevated it's privileges, it starts talking with other infected machines to get  instructions. Most of the time, it is used to "Sell Installs". That is, other "hackers" can pay someone to install their virus onto the already infected machines. One of the most popular viruses that is installed with ZeroAccess is Zeus (see Zeus Continues to Evolve and New Variant of Zeus includes Ransomeware). Once that is installed, the "hacker" can steal your personal data including, but not limited to, your credit card number, login credentials to different sites (including banking sites) etc.

Installation

• 32 bit
• When file dropper is executed, it checks whether it is on a 32 or 64 bit computer, then installs the corresponding kit. If it is on a 32 bit machine, it drops a kernel mode or Ring-0 rootkit. It drops itself into a hidden folder. It adds itself to startup, and checks it's list of predetermined C&C (Command and Controls). it then attempts to connect to them on TCP port 13620 and awaits commands.
• 64 bit
• The 64 bit version of ZeroAccess does not have a Ring-0 rootkit. It does, however, have a Ring-3 or User-mode kit. When initiated, it attempts to raise it's privileges as described in part 1. Once that is done it protects its process (makes it harder to kill) and waits for commands.

Communication

The virus comes with a list of known IPs of infected machines. If these machines have UPNP enabled and the ports are properly opened, they become server nodes. If not, then they are just clients. Once it has succesfully made a connection, it is added to the other bots list, and updates its own list. It then periodically checks in with the other servers to see if any new commands were issued. The bot uses TCP port 13620 to connect to others. All communication is encrypted with RC4 encryption. 

Monetizing

The virus is most commonly used to install other viruses like Zeus. It also downloads a click fraud virus. This virus is almost always seen with ZeroAccess, so it is thought that it may be authored by the creator of ZeroAccess. And finally, it downloads a spam bot. This is a virus that is used to send spam, junk, or infected links via e-mail.

Conclusion

This is a very sophisticated piece of malware, and while it may not yet be on par with the TDL family, it is definitely getting there. While it is already dangerous now, imagine what it could become capable in 5 or 10 years from now. As soon it is detected, this must not be ignored. the only way to stop it effectively is to completly remove it from the system. While it is currently only used to download malware to monetize, this could and most likely will change as the owner rents out space and allows other files to be downloaded.

Credits to McAfee labs, Sophos, and PrevX

ZeroAccess Part 1: What is it

ZeroAccess is quickly becoming one of the go to rootkits, and may surpass the TDL family in the coming years. Machines are most commonly infected using 2 techniques, the first being through an exploit kit, the second being Social Engineering.

BlackHole Exploit Pack
Infection Statistics

Let's first take a look at how the exploit kit infection works. First, an Exploit Pack, is a webpage that is designed to exploit software commonly installed on computers, such as Flash, Java, Internet Explorer, etc. It tries to find loopholes to let it silently download and execute a program on the victims computer. Most Exploit Packs use outdated exploits that are already patched, although, a few extremely high-end packs use what are known as "0-Day" exploits. This means that it works for the newest version of exploited software, and is not yet know/detected. To drive traffic to these exploits, "hackers" find holes in legitimate websites, and embed a small code into the pages that will direct the user to their site unknowingly. This is most often done through an "IFrame" set to be 0px wide and 0px high. Since the user does not need to see or interact with the exploit site, this works perfectly. Sometimes a JavaScript is embedded, although this is less common as some web hosts have JavaScript disabled, and it is more noticeable. The exploit then goes through its list of exploits, and, if one is found working, downloads and executes the payload (ZeroAccess).

Figure 1.1

Sometimes, the "hacker" uses Social Engineering techniques to try and get the user to willing download and execute the file. This is usually done by attaching the file to some sort of program crack or keygen. The "hacker" will bind his virus (ZeroAccess) to the crack, and then upload it to a filehost, or torrent host. The user will download and execute this file and, since it works, won't be very suspicious. The "hacker" can also use something called a "Java Drive By". This is more of a mix of exploit and Social Engineering. The "Hacker" sets up a site where there is a browser game or camera that needs Java to run. When the victim goes to the website, he will first be prompted to allow java to run (see Figure 1.1), then he will be asked to download and install an "update". This update, of course, is actually the "hackers" virus. Then, once the user clicks ok, the page will "refresh" and the application that required Java will work. The user, being satisfied that it works, will not suspect a thing.

Figure 1.2

When the virus is executed, it first checks what architecture the computer is (32 or 64). It then drops the related file and dies. Once the file is dropped, if execute on a non-admin account, it will require a UAC popup window . It does this by acting as if it is an official adobe update. It replaces a .dll inside of the adobe installer folder, and prompts the user to download the update (see Figure 1.2). This "update" actually downloads the latest flash player, but also gives the virus admin permissions. It then goes on to connect to other infected computers, and await orders.

Stay tuned for Part 2: What does it do
then later, the final part Part 3: How to stop it

Credits to McAfee labs, Sophos, and PrevX