ZeroAccess, a kernel-mode rootkit, recently shifted its infection technique from kernel mode to user mode. (For more on ZeroAccess, which turns infected systems into a peer-to-peer botnet, read these posts from my colleagues Peter Szor and Aditya Kapoor.) Even in user mode, ZeroAccess can maintain its presence on an infected system.
ZeroAccess implements what I call file disassociation, which means it modifies memory-loaded objects into a file—in this case either explorer.exe or services.exe. This association of memory into a file is basically stored through LDR_DATA_TABLE_ENTRY. (For more on file-/memory-disassociation techniques, see our Virus Bulletin entry Predicting The Future of Stealth Attacks.)
LDR_DATA_TABLE_ENTRY is a process structure under Windows that works similarly to a table of contents or index of a book. All programs, libraries, and other files used by a running application are tracked under this double-linked list process structure in memory. (Click here for a general overview on Windows processes.)
ZeroAccess acquires its own LDR_DATA_TABLE_ENTRY via the API LdrFindEntryForAddress.
.text:4567187D lea eax, [ebp+arg_0] .text:45671880 push eax .text:45671881 push [ebp+arg_0] .text:45671884 call dword ptr ds:LdrFindEntryForAddress ; acquires its own LDR_DATA_TABLE_ENTRY in the process
Once acquired, ZeroAccess verifies the length and does a wide-character-string copy of the hardcoded string “c:windowssystem32n” into the FullDllName.Buffer
Fools users into thinking the malware is hidden in “c:windowssystem32n”
Removes references to the malware’s location as seen in process memory
McAfee antimalware products will detect and clean this threat from infected systems. As always, keep your products updated to protect against such threats.
