Zero Access malware Analysis

Zero Access malware Analysis
0x00 Preface

Zero Access has infected hundreds of millions of computers around the world so far. Well, ZA (Zero Access) I think one of the reasons is that malicious ad clicks and Bitcoin mining are rampant. Once the ZA infection system starts downloading various types of malware, the final loss of both individuals and organizations will certainly not be small if they are infected.

ZA's media is mainly used for malicious emails and vulnerability exploitation tools. It will also be spread through distributed p2p file sharing services, or software that looks like game cracking tools and registration machines. ZA itself has many unique characteristics. After infection, ZA will connect to a p2p-based botnet, and it is very rare to continue tracking.

ZA itself uses an advanced hidden mechanism to escape, and detects and evades software and firewalls. The executable file is usually in the % TEMP % folder and communicates with external websites through http requests.

Once ZA is infected with your system, perform the following operations:

Use your sb system for click fraud and Bitcoin mining.

Download other malware ....

Enable the soft escape Function

Extract information from a computer

0x01 analysis

The initial analysis process is as follows:

Our first step is to isolate infected machines and then scan the system. We did not find anything during the first scan, however, during the second scan, we found that a new file was created in the % TEMP % folder in workstation.

In the % SYSTEM % directory, we found another suspicious file, which seems to be a configuration file and is under ACL protection.

Network operations are performed when the file is executed in the sandbox.

The file name is fvshis. sav and the content is encrypted.

During the file running process, we extracted the strings in the memory. Obviously, we can see that the Max ++ dropper component is used.

Next, we happily analyzed the dropper (for malware installation) component. It seems that this dog's things are not shelled,

However, after the analysis, we found that this stuff was shelled and used some complicated custom shells, we also use several different anti-debugging mechanisms to encourage our friendly overtime work.

 

 

The int 20 command is a type of system interruption.

PS: no sample, but the first few should be written into the int 20, using the characteristics of the CPU will pre-read instructions, interfere with single-step tracking. For example:

mov word ptr [@@],20cdh @@:nopnop 

Under normal circumstances, the CPU pre-reads two nop, instead of executing INT 20 (cd20), but the single-step tracking is different.

That is to say, the program can detect whether it is in the debugging state and kill itself.

ZA itself has a multi-layer encryption mechanism, and the shell of him.

As I said, the current analysis is dropper, which is equivalent to a kind of malware deployment. The shell encrypts each of the segments and decrypts them step by step when the dropper is running, decrypts a code segment at a time, and each code block has an INT 20 (mlgb ...), if the dog is accidentally placed several more steps, the process crashes.

With our passionate efforts, we finally finished shelling. Then we found that the sample tried to access some directories on the computer.

Another thing we have noticed is that we can see from int20 That This Is A Ring0 rootkit running in kernel mode, after analyzing the memory, we also found that the malicious samples created a mutex lock in the memory to detect whether the computer was infected with the same thing before.

Another discovery is that this tool injects itself into the ie (assumer.exe) process and uses ie to execute payload.

As mentioned above, the sample runs in kernel mode and we find that malware is actually installed as a kernel module.

ZA will disguise itself as a device driver B48DADF8. sys. We will dump this kernel for further analysis.

 

In the preliminary analysis, ZA issued some acceptable network traffic and initially determined that it was similar to the online notification, which was similar to "friend xxxx went online" when playing the sword spirit.

At the same time, an http request is sent to a specific domain name.

This is obviously the attempt to establish a connection and then download other malicious programs.

Then we analyzed the domain name, which seems to be located in Zurich, Switzerland. Well, the law in Switzerland will largely protect the privacy of its citizens, at the same time, cyber criminals also like to host their C & C servers in Switzerland.

We further analyzed the domain name and found that the domain name is actually preset to three different ip addresses. The only thing in common is that the local privacy protection is comprehensive.

0x02 conclusion

I omitted something similar to security recommendations.

We found three ip addresses.

141.8.225.62 (Switzerland)

199.79.60.109 (Cayman Islands)

208.91.196.109 (Cayman Islands)

Although it does not steal user information, it will generate a large amount of network traffic for click fraud and Bitcoin mining.