ZeroAccess: still alive and kicking. Part: 1/3

    ZeroAccess is still around and seems to be growing, albeit not as fast as a month or two ago. The coders of ZeroAccess seem to have made major changes to the bot. It uses all new protocols to communicate, drops to a different location, uses different startup methods, and seems to be moving away from kernel-mode and operates mostly in user-mode in both 32 and 64 bit versions. SophosLabs goes into much more detail here

    The bot now uses ports 16464 and 16465 by the 32-bit and 64-bit versions of one botnet; ports 16470 and 16471 are used by the 64-bit and 32-bit versions of the other botnet. This shows that there are 4 distinct and separate botnets, wether they are operated by the same person or group is unknown at this time.

    The bot also drops to a new location, while it used to drop at symlink dir or %APPDATA%, it now drops at %APPDATA%, Windows/installer, or recycle bin.

    The new version, rather than overwriting a driver, it hijacks a COM object and/or patches services.exe. This seems to be a much more stable and more permanent way to do it.

    Both x64 and x86 bit versions of the bot also seem to be doing everything in the user-mode rather than kernel-mode, while in previous versions, x86 used kernel. There are still some new samples that use kernel-mode, but not nearly as many as before.


Part 2 will cover where and how many are infected and finally part 3 will be removal and prevention.
Please comment with any questions and I will do my best to answer.


Credits:
THN
SophosLabs

PlugX or Korplug

     Some of you may have heard about a campaign using Poison Ivy to target users in Japan, China, and Taiwan. The same group is now developing a new RAT (Remote Administration Tool) called PlugX or Korplug. They seem to be distributing both side by side and are using some of the same servers to control both. This Trojan is detected as "Backdoor.Win32.Plugx". The Trojan is being deployed in attachments to spam mail (examples provided here). Some variants of this virus may be signed with stolen certificates.

    How to remove:
    Most Antivirus programs (such as Norton and Nod32) detect and remove this Trojan, so running a scan with any of these should get rid of the problem. However, it is possible to manually remove this trojan by following these steps (provided by 2-spyware)

1. Delete registry values: 
1. HKEY_LOCAL_MACHINE\SOFTWARE\Classes\FAST
2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SXS
3. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SxS
2. Delete files: 
1. %UserProfile%\SxS\bug.log 
2. %UserProfile%\SxS\rc.exe 
3. %UserProfile%\SxS\rc.hlp 
4. %UserProfile%\SxS\rcdll.dll

Sorry for this short post, more information on this threat will be posted later. Be sure to check the sources for more information and continued reading.

Remember to comment with a topic for my next post.



Sources:
TrendMicro
Symantec

Extended Silence

I have been gone for awhile and I intend to start posting once again. I was pursuing another one of my many interests but I am back now.

I will post the source code of a java virus I found, heavily commented, for all of you interested in the inner workings of a virus. I also hope this will cause anti-virus companies to start paying more attention to Java jars and such as there are many files like jars that AVs do not scan. A jar is essentially treated as a compressed archive, and not as an executable program. This needs to change as I have seen a large rise in java viruses myself.
Anyway, check back soon if you're interested.