1. /
  2. Security Response/
  3. Trojan.Zeroaccess

Trojan.Zeroaccess

Risk Level 2: Low

Discovered:
July 13, 2011
Updated:
November 29, 2013 11:16:11 AM
Type:
Trojan
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
CVE References:
CVE-2009-1672, CVE-2009-1671, CVE-2006-0003, CVE-2010-1885, CVE-2009-0927, CVE-2009-4324, CVE-2008-2992
Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.

The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as max++ as it creates a new kernel device object called __max++>.

Infection
This threat is distributed through several means. Some websites have been compromised, redirecting traffic to malicious websites that host Trojan.Zeroaccess and distribute it using the Blackhole Exploit Toolkit and the Bleeding Life Toolkit. This is the classic "drive-by download" scenario. It also updates itself through peer-to-peer networks, which makes it possible for the authors to improve it as well as potentially add new functionality.


Functionality
The primary motivation of this threat is to make money through pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. This is known as click fraud, which is a highly lucrative business for malware creators.

The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.

It is also know to download software onto compromised computers in order to mine bitcoins for the malware creators. Bitcoin mining with a single computer is a futile activity, but when it is performed by leveraging the combined processing power of a massive botnet, the sums that can be generated is considerable.

Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet.

It is able to achieve the above functions silently as it infects a system driver that acts as a rootkit hiding all of its components on the computer. The threat creates an encrypted hidden volume in the computer's file system where it stores all of its components. Not only does it store all of its components in the hidden volume, it can also hide any other malicious software that it downloads onto the computer there as well.


Link to Backdoor.Tidserv
There is strong evidence to suggest that there are link between Trojan.Zeroaccess and another malware with advanced rootkit capabilities, Backdoor.Tidserv. But whether the creators of the two malware are the same or not is not known. It is possible that the same person created the code for both pieces of malware and sold them to different gangs on the black market. Alternatively, it is possible that the creators of Zeroaccess bought the Tidserv code and modified it for their purposes. What is certain, however, is that Zeroaccess actively searches for any trace of Tidserv on the computer and removes it if it finds it.



GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.






PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.




SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.


Antivirus signatures


Antivirus (heuristic/generic)


Intrusion Prevention System

Antivirus Protection Dates

  • Initial Rapid Release version July 13, 2011 revision 016
  • Latest Rapid Release version November 21, 2014 revision 023
  • Initial Daily Certified version July 13, 2011 revision 024
  • Latest Daily Certified version November 22, 2014 revision 002
  • Initial Weekly Certified release date July 13, 2011
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

  • Wild Level: High
  • Number of Infections: 1000+
  • Number of Sites: 10+
  • Geographical Distribution: High
  • Threat Containment: Easy
  • Removal: Difficult

Damage

  • Damage Level: Medium
  • Payload: Downloads more malware and opens a back door on the compromised computer.
  • Degrades Performance: Downloaded payloads may impact on the performance of the compromised computer.
  • Compromises Security Settings: Disables security-related applications.

Distribution

  • Distribution Level: Low
Writeup By: Jarrad Shearer

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver