ZeroAccess Misleads Memory-File Link

July 10, 2012

ZeroAccess, a kernel-mode rootkit, recently shifted its infection technique from kernel mode to user mode. (For more on ZeroAccess, which turns infected systems into a peer-to-peer botnet, read these posts from my colleagues Peter Szor and Aditya Kapoor.) Even in user mode, ZeroAccess can maintain its presence on an infected system.

ZeroAccess implements what I call file disassociation, which means it modifies memory-loaded objects into a file—in this case either explorer.exe or services.exe. This association of memory into a file is basically stored through LDR_DATA_TABLE_ENTRY. (For more on file-/memory-disassociation techniques, see our Virus Bulletin entry Predicting The Future of Stealth Attacks.)

LDR_DATA_TABLE_ENTRY is a process structure under Windows that works similarly to a table of contents or index of a book. All programs, libraries, and other files used by a running application are tracked under this double-linked list process structure in memory. (Click here for a general overview on Windows processes.)

ntdll!_LDR_DATA_TABLE_ENTRY
               +0×000 InLoadOrderLinks : _LIST_ENTRY
              +0×008 InMemoryOrderLinks : _LIST_ENTRY
              +0×010 InInitializationOrderLinks : _LIST_ENTRY
              +0×018 DllBase : Ptr32 Void
              +0x01c EntryPoint : Ptr32 Void
              +0×020 SizeOfImage : Uint4B
              +0×024 FullDllName : _UNICODE_STRING
                            +0×000 Length :
                            +0×002 MaximumLength :
                            +0×004 Buffer :
              +0x02c BaseDllName : _UNICODE_STRING
              +0×034 Flags : Uint4B
              ……..

ZeroAccess acquires its own LDR_DATA_TABLE_ENTRY via the API LdrFindEntryForAddress.

              .text:4567187D lea eax, [ebp+arg_0]
              .text:45671880 push eax
              .text:45671881 push [ebp+arg_0]
              .text:45671884 call dword ptr ds:LdrFindEntryForAddress
; acquires its own LDR_DATA_TABLE_ENTRY in the process

Once acquired, ZeroAccess verifies the length and does a wide-character-string copy of the hardcoded string “c:\\windows\system32\\n” into the FullDllName.Buffer

              .text:45671891 cmp word ptr [eax+24h], 2Ch ; check length
              .text:45671896 jb short loc_456718B2
              .text:45671898 push offset aCWindowsSystem ; “c:\\windows\\system32\\n”
              .text:4567189D push dword ptr [eax+28h] ; wchar_t * – buffer
              .text:456718A0 call ds:wcscpy

ZeroAccess has two key tactics. It:

  • Fools users into thinking the malware is hidden in “c:\windows\system32\n”
  • Removes references to the malware’s location as seen in process memory

McAfee antimalware products will detect and clean this threat from infected systems. As always, keep your products updated to protect against such threats.