Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

ZeroAccess Becoming More Persistent as well as Pervasive

A report for the end of last year estimated that 1 in every 125 US home networks were infected by ZeroAccess
A report for the end of last year estimated that 1 in every 125 US home networks were infected by ZeroAccess

ZeroAccess has long been pervasive. Kindsight Security Labs Malware Report for the end of last year estimated that 1 in every 125 US home networks were infected – it was effectively an advanced pervasive threat.

A new analysis by Sophos now demonstrates that its authors are continuing to modify and improve the malware. In particular, says James Wyke in the Naked Security blog, "The authors have pushed out another update and this time they are using some interesting techniques to ensure reboot persistence."

Persistence, he explains, puts the 'P' in 'APT'. "Simply put", he says, "malware has persistence if it automatically reloads itself when you logoff and log back on, or when you reboot." The advanced pervasive threat has become a genuine advanced persistent threat.

Earlier versions of ZeroAccess changed the operating system's access control list entries (ACLs) so that users could neither read nor write to the malware files. This latest iteration does this but adds a new trick: it uses the right-to-left override (RLO) "and several other non-printable Unicode characters in both file paths and registry entries to further hinder identification and removal of the ZeroAccess components", says Wyke.

RLO is often used to hide the extension of malicious executables. "Here", says Wyke, "the ZeroAccess authors are combining it with other characters that Windows Explorer cannot display. This hides the files, and makes their removal challenging."

Persistence is achieved by adding an entry to the Registry to start the hidden executable at startup. The entry is disguised by the Unicode characters to look like a Google update service ('gupdate'), and is only noticeable because the hidden characters make it appear in the Registry out of alphabetic order.

The payload in this version hasn't changed, and it is still primarily being used to carry out click fraud. The relevance, however, is that it shows development is still active, and, says Wyke, "the focus of the authors is to increase the lifetime of ZeroAccess on infected systems by making discovery and removal a more difficult process."

What’s Hot on Infosecurity Magazine?