One year ago we’ve blogged about ZeroAccess striking back at antivirus products by means of malicious payload injection causing the antivirus products to terminate. ZeroAccess is known for causing browser redirects causing additional malware infections.
ZeroAccess (also known as Sirefef, Maxplus or Smiscer) changed its way of working a few times and recently it evolved from a rootkit into a user mode virus. This makes sense because it used to use different strategies on 32-bit and 64-bit computers. On 32-bit Windows ZeroAccess infected a random kernel driver and on 64-bit it used an altered Session Manager\SubSystems registry key to survive reboots.
Merging both 32 and 64-bit versions the authors now have a common code base for both architectures which is easier to maintain and improve.
Since a few weeks we receive reports of slightly changed versions of services.exe. This Microsoft component is the Services Control Manager and is responsible for running, ending, and interacting with system services. Upon closer inspection, the minor changes to services.exe are not malicious at all. But they do uncover a new and novel way of hiding malicious payload making ZeroAccess invisible to most antivirus products.
Hiding in NTFS
The trick involves storing the malicious contents in the rarely used Extended Attribute of an NTFS record. We have seen malware using Alternate Data Streams (ADS) but this trick is entirely new and has nothing to do with ADS.
The Extended Attribute is stored along with the NTFS record of services.exe and is invisible to the user (it is not a file but meta-information). Antivirus products don’t process the Extended Attribute since it is deep inside the NTFS file system. The Extended Attribute can only be read using special forensic tools such as WinHex.
When the infected services.exe is loaded by Windows, the infection reads the Extended Attribute NTFS record which contains the actual malicious code. Storing the malicious code not in services.exe but in the special Extended Attribute gives ZeroAccess its needed stealthiness to stay undetected on a user’s system.
Note Copying the infected services.exe to a different file system (e.g. FAT32) or archiving the services.exe to a ZIP-file, will strip the Extended Attribute and therefore lose its malicious content.
To date we’ve seen two different types of services.exe infections. Both versions have the ASLR capability stripped from services.exe. This causes the operating system to consistently load services.exe on the same address allowing the infection to use hardcoded addresses.
The authors of ZeroAccess first released a version that adds a Thread Local Storage (TLS) callback to services.exe. This trick, borrowed from other malware, runs the infection before the main thread. Since this trick is already used by other malware, thus making it suspicious, the authors decided to change it in a second version.
The second and current version doesn’t use the TLS trick since it is obviously suspicious due to the fact that it runs code before the actual services.exe code. Instead the infection overwrites 704 bytes of the services.exe!ScRegisterTCPEndpoint function. The 704 bytes start with a JMP and contains the code that read the Extended Attribute (EA) from services.exe using ZwQueryEaFile:
Removing the Infection
Next to the infected services.exe, ZeroAccess also drops support files under C:\Windows\Installer\ and %LocalAppData% folder as can be seen from this screenshot:
Services.exe is a system file. It must be restored to an original version to maintain system stability.
To complete the removal, HitmanPro also removes the malware’s data files. It uses its cloud assisted remnant scan to get each data file belonging to ZeroAccess.
Currently we have only seen this infection on Windows Vista and Windows 7 (both 32-bit and 64-bit). Windows XP seems unaffected at the moment, but there is no reason why this new trick should not work on XP.
The latest incarnation of ZeroAccess successfully merged its 32-bit and 64-bit code base into a new variant which is both hard to detect and hard to remove. HitmanPro must use all its techniques to detect and remove all pieces of this new ZeroAccess variant.