Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Trojan.Zeroaccess - Has Symantec seen it all

Created: 25 Sep 2012 | 15 comments
ABN's picture

This is not a complain but as General George S Patton said “ A good battle plan that you act on today can be better than a perfect one tomorrow”. If we can find a solution now it will help preventing a catastrophe

We have had major incidents of Trojan.Zeroaccess and Symantec was not able to remediate the problem. The product is working as per design and it is there where we have the problem

File Name: SERVICES.EXE.0.AVB

Sample Name:  services.exe

SHA256: 9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0

Sample Submitted to Virustotal: Detection ratio of 29:42

https://www.virustotal.com/file/9bb8671774e6ce60cc5b9e3c166bd1ee577a3f1cbb5b4957de595a53d5b461d0/analysis/

Sample Submitted to Symantec Submission: Tracking No: 26187611

Sample Name: SERVICES.EXE.0.AVB

MD5: 50BEA589F7D7958BDD2528A8F69D05CC

Signature Protection Name: Trojan.Patchep!sys

Virus total says Symantec detects it as Trojan.Zeroaccess!inf4 where as the submission response says it as Trojan.Patchep!sys.

Popular Detection:

Kaspersky                    : Virus.Win64.ZAccess.a

McAfee                        : Generic.dx!bfnd

Microsoft                     : Virus:Win64/Sirefef.A

Symantec                     : Trojan.Zeroaccess!inf4

TrendMicro                  : PTCH64_SIREFEF.A

Microsoft:

Detects as a Sirefef. Which is a multi-component family of malware that uses stealth to hide its presence on an affected computer. It uses disk level hook to hide its own presence.

It attempts to modify the driver files and creates a special folder configured as a reparse point (a collection of user-defined data) in which to store additional malware components, as well as the original clean copy of the replaced driver.

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Sirefef

 TrendMicro:

Detects as a Sirefef. Which is a new variant of a malware family now with user mode technique to stealthily load its malicious code instead of using regular rootkit techniques. The infection vector is normally a legitimate named patch or codec.

In injects itself into the Operating systems using DLL Search Order abuse.

http://blog.trendmicro.com/trendlabs-security-intelligence/zaccesssirefef-arrives-with-new-infection-technique

Symantec:

Detects as a file been infected with Trojan.Zeroaccess.C. is a Trojan horse that may download more malware and steal confidential information from the compromised computer. Drops files in user profile and infect SERVICES.EXE.

Trojan.Zeroaccess!inf4

http://www.symantec.com/security_response/writeup.jsp?docid=2012-080901-4610-99

Trojan.Zeroaccess.C

http://www.symantec.com/security_response/writeup.jsp?docid=2012-080900-3758-99

Culminating the analysis it is now evident that it is better to Re-image / Reinstall the OS on the infected computer as the core drivers are infected.

The question is when globally these many information is available why were we not protected till it reached the critical level of Re-Imaging. Services.exe or any of the core file which were infected and detected as Trojan.Zeroaccess!inf4 would not have got infected if Trojan.Zeroaccess.C was detected and remediated at the beginning.

We started to have detections of Trojan.Zeroaccess.B.

A Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, download more malware, and open a back door on the compromised computer.

Once infected it will attempt to injects itself into the Browser.

Trojan.Zeroaccess.B

http://www.symantec.com/security_response/writeup....

When some of the major AV systems are pointing that this is a rootkit trait and which Symantec is also accepting. Yet why does Symantec detects this infection as a Spyware, which does not even have a clean option.

I feel unless this threat / variant / strain is detected as a Virus or something in the Macro / Non Macro (Which has a clean option) this strain will be at loose.

“All perceptions are flawed ‘cos The Man who perceive it is flawed”.  Kindly fell free to add if  I have missed out anything.

Comments 15 CommentsJump to latest comment

Mithun Sanghavi's picture

Hello,

Trojan.Patchep!sys is a generic detection for infected system files that execute other threats. Currently the threat that is executed is Infostealer.Gampass

I would suggest you to create a case with Symantec Technical Support for a second look and review on this submission.

To Create a Case with Symantec Technical Support.

How to create a new case in MySupport

http://www.symantec.com/business/support/index?page=content&id=TECH58873

Phone numbers to contact Tech Support:-
 
Regional Support Telephone Numbers:
 
United States: 800-342-0652 (407-357-7600 from outside the United States)
Australia: 1300 365510 (+61 2 8220 7111 from outside Australia)
United Kingdom: +44 (0) 870 606 6000
 
 
Hope that helps!!

Mithun Sanghavi
Senior Consultant
MIM | MCSA | MCTS | STS | SSE | SSE+ | ITIL v3

Don't forget to mark your thread as 'SOLVED' with the answer that best helped you.

.Brian's picture

I know it's after the fact but there is a removal tool:

Trojan.Zeroaccess Removal Tool

http://www.symantec.com/security_response/writeup....

This is a rootkit, which is designed to disable and workaround AV protection. I'm not sure how these got into your network. I know this thing has been around for awhile so I would assume defs were available. Were you able to interrogate the users at all to see how they got it. Perhaps, via web browsing or thru a vulnerability.

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

Mohan Babu's picture

But my suggestion is to Rebuild the infected computer.........

Harden the virus and spyware  policy on ur network....

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

Mick2009's picture

Hi ABN,

Many thanks for the comments.  Zeroaccess is a threat Security Response has been keeping a close eye on for some time.  In March the following whitepaper was released:

Trojan.ZeroAccess Infection Analysis
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf

This August blog may also be of interest:

Trojan.Zeroaccess.C Hidden in NTFS EA
https://www-secure.symantec.com/connect/blogs/trojanzeroaccessc-hidden-ntfs-ea

There are AV definitions and IPS signatures which can prevent Trojan.Zeroaccess from causing damage to a computer. (Please do be sure that IPS is in use in your organization- otherwise you are fighting with one arm ties behind your back!)  Manual action is necessary once this trojan is in place.  Luckily, for users of modern Windows OS's, this can be as simple as "restore previous version" of a file.  More details:

http://www.symantec.com/security_response/writeup.jsp?docid=2012-080900-3758-99&tabid=3

Hope this helps- thanks again for the post!  Zeroaccess is a serious threat.  A bit of public awareness can help admins to ensure their defenses are up.

With thanks and best regards,

Mick

peter ashley's picture

Upgrading to the 12.1 release or newer as well as reviewing Symantec best practices on configuration are highly recommended if you have not done so yet.

cus000's picture

You can try to get the Advance level support or directly get Security Respond Team to answer your questions...

Try ask for further check/review

ABN's picture

Hello All,

Thank you for the responses. As I have mentioned at the very beginning, the intention is not to tarnish Symantec. To be honest Symantec is my personal favorite. I’m just trying to see if I can get maximum exposure to the situation, that is all.

@ Mithun: We already have a case with Symantec and am trying to help them from my level. The file is detected as Trojan.Patchep!sys only by the Submission engine. The host based SEP AV engine still detects it as Trojan.Zeroaccess!inf4.

@Brian81: We have tried the tool on all the variants of Zeroacces and it failed on every combination of privilege and method. That is why this has become critical for us.

@Mohan: Re-Imaging is a solution, but not viable when the number of computers is quite huge. The intention is makes sure Symantec is able to remediate it in a future instance.

@Mick: You are most welcome. As I have mentioned, my intention was / is only to help by giving this incident more exposure. Links you have provided are rally helpful for us to re-evaluate our settings. This is precisely the purpose I started this link. Thank you very much.

Just a question. When Symantec know it is more a rootkit why is it detected as a Spyware.? With no action of clean. Not just the services.exe (that I know have to be replaced) the others too.

@Peter: Even if you install the SEP 12.1 this detection cannot be remediated. Symantec detects this threat as a Sypware and that does not have a clean action.

@Cus000: We currently have The Advanced level support and am not sure whether we can directly contact SRL.  

ThaveshinP's picture

We are now getting detections on SEP 12RU1MP1 for the virus- Trojan.Zeroaccess!inf4 .

Why does SEP decide to  "leave it alone"> We cannot block the services.exe or do anything.

What does Symantec recommend to do?

The file has been submitted and is being detected but nothing happens to it - Treated as spyware and shows "still infected" on home page.

Any help would be useful as these infections are spreading to top management and they are not going to be impressed if SEP cant quarantine the spyware .
 

ABN's picture

Hello Thaveshini:

Symantec being a AV procuct will not be able to repair the core system files as long as they do not know what does it contain. I firmly belive Micosoft will not appriciate reverse engineering done on its core system files. Symantec is able to delet all the other Trojan.Zeroacces files, like the 80000000@ kind of files. Only the SERVICE.EXE will be left alone. Symante has 8 IPS signatures, if configured will we would be able to prevent it as long as it is not a new variant. Symantec recommends to replace the Services.exe with a konw good file.

In case you want to fix the Services.exe, kindly use the below Microsoft link. It does fix it else follow the Symantecs recommendation.

http://www.microsoft.com/en-us/download/details.aspx?id=16

Regards,

ABN

ThaveshinP's picture

Symantec's recommendation takes too long to do 2000+ machine spread out over the WAN. Is this MS tool supposed to repair the services. exe as there are many.

peter ashley's picture

First have you determined the source of infection and cause of spread? One of the linked articles above talks about checking scanning network drive settings and checking that autorun is disabled.

SEP12.1+ has better tools to prevent new infections from downloads, but is less able to help once the computer is infected or shared on a trusted network resource.

The thread data seems to indicated that Symantec AV can't repair the specific file. Symantec may have legal restricions against distributing the clean Microsoft files. Have you tried using Symantec power eraser (which uses cloud based resources) or the MS repair tools (which has no Microsoft legal restritions)?

If those don't work the next option may be to gather clean files yourself from representitive versions of your systems, and then script a replace on reboot utility http://support.microsoft.com/kb/181345

ThaveshinP's picture

The infection is usually from USB sticks. The autorun has been disabled. What I dont or cant figure out is that SEP 12 detects the virus but can do nothing about it? I have submitted the virus to Symantec and all symantec can report back is that is not a new threat and not even can quarantine. We simply cannot start using power eraser on -+2000 machines - that is ridiculous - not to say the least. The customer is so complicated that we can report on infected machines but not allowed to access them as Symantec was pitched as all detection and removal - not even quarantine....but I  will check to see if we can isolate the file as mentioned previously in this post...

ez Networking's picture

Hi,

Just my two cents here

I have managed to remove some infections using Microsoft Windows Defender offline and others using Malwarebytes... (freeware btw...)

I also feel strongly that Symantec EndPoint Protection should be able to block infections of this sort. I really have to think hard to find a case among my customers where SEPP detected a threat and was able to remediate...

It seems we fully have to rely on Symantec's messaging gateway and web gateway to prevent clients from being infected. The use of Skydrive of dropbox has decreased the USB drive infection rate drastically but still SEPP seems only able to detect, rather than to prevent.

There is probably more to it than I can imagine as a development team as large as SEPP's is unable to find a working method where in-the-garage-built freeware can...

customers more and more feel rolled when they just paid the anual renewal support and yet another infected client PC is dropped on my desk for an expensive re-image or reinstallation.

I am Symantec Partner and only install security software with a black and yellow S but SEPP seems to loose the battle with malware...

regards, 

.Brian's picture

All depends on your config

Security Response recommendations for Symantec Endpoint Protection 12.1 settings

Article:TECH173752  |  Created: 2011-11-07  |  Updated: 2011-11-21  |  Article URL http://www.symantec.com/docs/TECH173752

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

ThaveshinP's picture

Once again - Trojan.Zeroaccess!inf4 has not been quarantined - yet it has been configured correctly. Why is SEP 12RU3 detecting the file - no action is happening - still infected.

On the Action summary - Trojan.Zeroaccess!inf4 Forced SONAR threat - detection but no action.
On the Monitors >> Risk >>Logs :
Security Risk found (Left alone) and (No repair available) ..user account has admin rights and policy is set to quarantine.. Please someone from Symantec help.

We have submitted the file and the BCS report comes back with detection but no repair...this is a major concern as we have over 40000 machines and this cannot be done manually...