Trojan.Zeroaccess.C Hidden in NTFS EA

Created: 14 Aug 2012 19:36:01 GMT • Updated: 23 Jan 2014 18:13:07 GMT • Translations available: 日本語

Mircea Ciubotariu Symantec Employee

The latest variant of the Zeroaccess Trojan—Trojan.Zeroaccess.C—makes use of a novel technique to store its malicious content: it exploits a feature provided by the NT File System called Extended Attributes (EA).

Even before Zeroaccess.C, malware authors have been looking for new ways to hide their malicious creations by making use of a specialized API provided by the file system. Two notable examples are the use of Alternate Data Streams (ADS) and Encrypted File System (EFS).

Trojan.Zeroaccess.C uses ZwSetEaFile to write the malicious payload into the EA data of the file %System%\services.exe and ZwQueryEaFile respectively to retrieve and execute it. The threat patches the code to read and execute the EA data directly into the services.exe file by overwriting a portion of the original initialization code:

ZwQueryEaFile returns a FILE_FULL_EA_INFORMATION structure containing the malicious payload as shown below:

It must be noted here that the infected system file—services.exe—cannot be repaired automatically with the information provided by the file alone because a portion of its original code has been permanently overwritten by the threat, forcing the user to restore the file manually from a clean backup. Windows Vista and later versions of Windows makes things easier by offering the option to restore the file to a previous version by right-clicking on the file and selecting Restore previous versions.

Such infected services.exe files are detected as Trojan.Zeroaccess!inf4 by Symantec products.

As with other NTFS features, accessing the EA requires a specialized API and usually malware writers employ these techniques in the hope that antivirus products do not support them. This results in the payload remaining functional for longer periods of time.

As far as Trojan.Zeroaccess.C is concerned, making use of EA marks a new point in its struggle to diversify. This new version does not include the rootkit component anymore, and it infects both x86 (32-bit) and x64 (64-bit) versions of the services.exe file.

Throughout Zeroaccess’ life span we have seen several novel techniques that posed various challenges; however, the antivirus industry has quickly adapted and responded with new technologies.

Blog Entry Filed Under:

Security, Security Response, Endpoint Protection (AntiVirus), NTFS, Trojan.Zeroaccess!inf4, Trojan.Zeroaccess.C

Links

Technical Support Symantec Training Symantec.com Purchase Endpoint Protection Small Business Edition Purchase SSL Certificates

About Security Response Blog

Our security research centers around the world provide unparalleled analysis of and protection from malware, security risks, vulnerabilities, and spam.

Recent Blog Posts

Highlights from the SyScan 2014 Conference • David Maciejak • 17 Apr 2014 08:40:42 GMT
Expect Beautifully Packaged Spam along with Your Easter Gifts! • Binny Kuriakose • 17 Apr 2014 07:50:48 GMT
Babies Offered for Adoption in 419 Scam • Eric Park • 16 Apr 2014 12:58:18 GMT
Heartbleed Poses Risk to Clients and the Internet of Things • Eric Chien • 14 Apr 2014 14:24:17 GMT
Heartbleed – Reports from the Field • Symantec Security Response • 12 Apr 2014 23:13:34 GMT

Filter by:

Recently on Twitter

threatintel

Satellite communications systems used by militaries may be vulnerable to tampering http://t.co/igYWHPF63Z (@dangoodin001)
18 Apr 2014
19-year-old arrested for #Heartbleed attack against Canadian tax agency http://t.co/Czx9xQqqOv (@JessicaChasmar)
17 Apr 2014
Oracle's latest patch update fixes 104 flaws, with 37 in Java. Apply the fixes as soon as possible http://t.co/dQM2axL8LF (@ZDNetCharlie)
17 Apr 2014
Highlights from the #SyScan 2014 Conference http://t.co/SGpJW9yeli #RFID #NFC #mobilePOS #mobilesecurity #SmartCars
16 Apr 2014
Smartphone makers and carriers will include antitheft measures in mobile devices by 2015 in the US http://t.co/XuA1dmj6tz (@smlotPCMag)
16 Apr 2014