IT Trenches

Nov 19 2010   2:37PM GMT

Anatomy of a crimeware rootkit – scary stuff!

Troy Tate Profile: Troy Tate

I came across a recent tutorial on reverse engineering the ZeroAccess / Max++ / Smiscer Crimeware Rootkit. This is a very malicious rootkit that has features such as:

  • Modern persistence hooks into the OS – Make it very difficult to remove without damaging the host OS.
  • Ability to use a low level API calls to carve out new disk volumes totally hidden from the infected victim, making traditional disk forensics impossible or difficult.
  • Sophisticated and stealthy modification of resident system drivers to allow for kernel-mode delivery of malicious code.
  • Advanced Antivirus bypassing mechanisms.
  • Anti Forensic Technology – ZeroAccess uses low level disk and filesystem calls to defeat popular disk and in-memory forensics tools.
  • Serves as a stealthy platform for the retrieval and installation of other malicious crimeware programs.
  • Kernel level monitoring via Asynchronous Procedure Calls of all user-space and kernel-space processes and images, and ability to seamlessly inject code into any monitored image.

If those elements do not scare you, then consider this information from the same article:

Symantec reports that 250,000+ computers have been infected with this rootkit. If 100% of users pay the $70 removal fee, it would net a total of $17,500,000. As it is not likely that 100% of users will pay the fee, assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN (Russian Business Network) cybercrime syndicate.

There’s real money changing hands with malware today. It is no longer script kiddies or basement geeks getting jollies with causing issues on a few computers.

Thanks for reading & let’s continue to be good network citizens and track down & prosecute those that are not.

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: