Trojan.Zeroaccess is a Trojan horse that uses an advanced rootkit to hide itself. It can also create a hidden file system, downloads more malware, and opens a back door on the compromised computer.
The Trojan is called ZeroAccess due to a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess. It is also known as
max++ as it creates a new kernel device object called __max++>.
Infection
This threat is distributed through several means. Some websites have been compromised, redirecting traffic to malicious websites that host Trojan.Zeroaccess and distribute it using the
Blackhole Exploit Toolkit and the Bleeding Life Toolkit. This is the classic "drive-by download" scenario. It also updates itself through peer-to-peer networks, which makes it possible for the authors to improve it as well as potentially add new functionality.
Functionality
The primary motivation of this threat is to make money through
pay per click advertising. It does this by downloading an application that conducts Web searches and clicks on the results. This is known as
click fraud, which is a very lucrative business for malware creators.
The threat is also capable of downloading other threats on to the compromised computer, some of which may be Misleading Applications that display bogus information about threats found on the computer and scare the user into purchasing
fake antivirus software to remove the bogus threats. It is also capable of downloading updates of itself to improve and/or fix functionality of the threat.
Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet.
It is able to achieve the above functions silently as it infects a system driver that acts as a rootkit hiding all of its components on the computer. The threat creates an encrypted hidden volume in the computer's file system where it stores all of its components. Not only does it store all of its components in the hidden volume, it can also hide any other malicious software that it downloads onto the computer there as well.
Link to Backdoor.Tidserv
There is strong evidence to suggest that there are link between Trojan.Zeroaccess and another malware with advanced rootkit capabilities,
Backdoor.Tidserv. But whether the creators of the two malware are the same or not is not known. It is possible that the same person created the code for both pieces of malware and sold them to different gangs on the black market. Alternatively, it is possible that the creators of Zeroaccess bought the Tidserv code and modified it for their purposes. What is certain, however, is that Zeroaccess actively searches for any trace of Tidserv on the computer and removes it if it finds it.
GEOGRAPHICAL DISTRIBUTION
Symantec has observed the following geographic distribution of this threat.
PREVALENCE
Symantec has observed the following infection levels of this threat worldwide.
SYMANTEC PROTECTION SUMMARY
The following content is provided by Symantec to protect against this threat family.
Antivirus signatures
Antivirus (heuristic/generic)
Intrusion Prevention System
Click for a more detailed description of Rapid Release and Daily Certified virus definitions.
