1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

0 access (zero access) rootkit discussion

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Blizzardess, Sep 14, 2011.

  1. Blizzardess

    Blizzardess Private E-2

    I wanted to discuss this particular one because in some cases it is not completely removable.

    A few things I noticed running tests on a seperate system (xp sp3 32 bit) wich some might or might not know.
    - Process appears in task manager and shouts out to you "I am not healthy" (figuratively).
    - Can still kill explorer and internet explorer processes (so far in early stages).
    - Appears to use IE (doesn't matter the version) to get instructions. Regularily pins cpu usage when connected to internet.
    - The sooner you disconnect internet the better.
    - Does not seem to degrade system seriously if infected when there is no internet connection. Still cannot use AV and such but easy to get tdss killer to remove.
    - Kills all AV's / Anit-Malware programs very quickly reguardless of internet connection.
    - TDSS killer works great especially if found in early stages.
    - Gmer can find it but not clean. Will not be disabled either.
    - Windows firewall pops up wanting you to unblock IE. Will not give you any info or details.
    - If Malware Bytes is in the process of running a scan during infection it will not kill it immediately. Initiating scans after infection trigger the rootkit to disable.
    I am still going through testing and need to add more variables and time to the equation.

    As far as real world sightings and exp. I haven't seen it much and is usually associated with naughty vids, cracking, and keygens etc. I had a hard time finding a real infection source. Alot of sites with that particular rootkit have been taken down quickly but there are sites that have also been up for months which still have it.

    I hope ppl can add to this with their own exp. / brainpower.

    Thx in advance.
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    We have been removing it successfully for a few weeks already as you can see by reading the threads in this forum. There are multiple forms of this infection and various levels of residual damage that it may cause. For example in some instances, it is corrupting the TCP/IP stack which results in no internet connection being available.
  3. thisisu

    thisisu Malware Consultant

    Hi Blizzardess,

    Quick question about this, are its effects immediate -- as in, as soon as you visit the infected site, you start getting errors about opening certain programs? Or did you have to reboot before the system starting acting up? I still have not found a site with it, and no computers at work have come in with it. I have been trying to get infected with one of the newer ZA variants on a VM but no luck yet.

    Once again, welcome to Major Geeks! :)
  4. Blizzardess

    Blizzardess Private E-2

    Well. with this particular one I found it wasn't on an advertisement, it was in a keygen. I had to actually run the keygen to get infected. Requires no reboot to be infected, but does require internet connection for other commands and effect is immediate. Errors with opening already installed AV's is also immediate. If i cut off internet connection it kind of just sits there, weather it is actually doing anything or not is another question that I am trying to figure out. Mabe length of time with internet connection is a variable in the severity of infection or mabe not. As for this being a newer variant, no, it is at least a few months old and the newer variant places for known infection were taken down within 36 hours. From a normal windows user perspective I don't believe they would know that they are infected. It is just in the backround doing it's own thing, letting you go to websites and letting you download. I read somewhere that it would also be great for removing TDL :) .

Share This Page

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds