ZeroAccess rootkit strikes back

July 15, 2011

Malware that actively fights back against removal is not uncommon. But the authors of the ZeroAccess rootkit found a unique way to strike back at its adversary: it instructs an antivirus program to terminate itself.

The ZeroAccess rootkit uses advanced stealth tactics, similar to the infamous TDL3 rootkit. The ZeroAccess rootkit itself is hiding, but it’s payload is not.  It actually is very visible to the user as it redirects e.g. Google Search results in your web browser.

Most antivirus programs are hardened against termination by an external (malicious) process. But it turns out that most antivirus programs are not that tough against themselves.

When an antivirus program tries to scan one of ZeroAccess’s rootkit components, the rootkit strikes back by injecting (from kernel-mode) a small piece of malicious code into the antivirus process space. The code will effectively call the ExitProcess function.
The rootkit then queues the code to be run by the antivirus process by means of an APC (asynchronous procedure call). As soon as one of the threads of the antivirus process becomes idle, the queued code executes and ExitProcess is called: the antivirus program terminates itself.

In addition to the self-termination of the antivirus process, the rootkit also changes the access rights (DACL) of the antivirus program’s EXE file so that it cannot be restarted. This leaves the computer unprotected against new malware infections as well.

Hitman Pro 3.5.9 build 127 contains protection against these types of malicious code injections and monitors and restores the DACL on its EXE file. Users of Hitman Pro will automatically be updated to the latest version in the next few days.