ZeroAccess rootkit strikes back

July 15, 2011

Malware that actively fights back against removal is not uncommon. But the authors of the ZeroAccess rootkit found a unique way to strike back at its adversary: it instructs an antivirus program to terminate itself.

The ZeroAccess rootkit uses advanced stealth tactics, similar to the infamous TDL3 rootkit. The ZeroAccess rootkit itself is hiding, but it’s payload is not.  It actually is very visible to the user as it redirects e.g. Google Search results in your web browser.

Most antivirus programs are hardened against termination by an external (malicious) process. But it turns out that most antivirus programs are not that tough against themselves.

When an antivirus program tries to scan one of ZeroAccess’s rootkit components, the rootkit strikes back by injecting (from kernel-mode) a small piece of malicious code into the antivirus process space. The code will effectively call the ExitProcess function.
The rootkit then queues the code to be run by the antivirus process by means of an APC (asynchronous procedure call). As soon as one of the threads of the antivirus process becomes idle, the queued code executes and ExitProcess is called: the antivirus program terminates itself.

In addition to the self-termination of the antivirus process, the rootkit also changes the access rights (DACL) of the antivirus program’s EXE file so that it cannot be restarted. This leaves the computer unprotected against new malware infections as well.

Hitman Pro 3.5.9 build 127 contains protection against these types of malicious code injections and monitors and restores the DACL on its EXE file. Users of Hitman Pro will automatically be updated to the latest version in the next few days.


TDL4 bootkit reinstates 64-bit infection capability

May 2, 2011

Microsoft released security update KB2506014 on April 12 to address a vulnerability which allowed unsigned drivers to be loaded by 64-bit Windows. The TDSS/Alureon rootkit family, where TDL4 is a part of, was one of the more advanced rootkits that abused this vulnerability to load the rootkit during Windows boot up. TDL4 is also known as the Google Redirect Virus.

TDL4 infects the Master Boot Record (MBR) and effectively loads before Windows boot up. This gives so called bootkits the upper hand in countering the protection mechanisms introduced by 64-bit Windows.

We started to see this new variant a few days ago when we received reports that Hitman Pro was no longer able to remove the TDL4 rootkit. Hitman Pro was detecting the presence of the rootkit but it was no longer able to determine its load point, which is needed for the rootkit’s removal. The reports also outline that the few dedicated TDSS removal tools from other vendors were also having difficulties to detect and remove it, which is a clear indication that we are dealing with a new variant.

Key survival strategy for rootkits is that they must be undetectable by antivirus software. TDL4 does so by attaching itself to the hard disk (at the lowest level) and filtering all read/write operations. When antivirus software reads data from the drive, the rootkit just serves clean uninfected data, effectively blinding antivirus and internet security software.

In order to detect the presence of rootkits like TDL4 an antivirus must get around the rootkit’s filtering. Only then the actual infected disk sectors can be read and inspected.

Hitman Pro’s Direct Disk Access technology is specifically made to get around such rootkit techniques by scanning computers at a much deeper level. Many of our first-time users are infected with the TDL4 rootkit, despite up-to-date protection software from renowned security vendors. Even though these vendors frequently write reports about this threat, the rootkit does not appear in any top threat list because most products lack the technology to detect and remove it.

Hitman Pro 3.5.8 build 121 is able to detect and remove the latest TDL4 bootkit variant. A beta version can be downloaded from here:

32-bit: http://dl.surfright.nl/HitmanPro35beta.exe
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe

Changelog (Build 121)

  • Added detection and removal of latest TDL4 bootkit
  • Improved behavioral scan
  • Improved removal engine
  • Added Indonesian language
  • Updated Czech language

Hitman Pro removes 64-bit TDL3 rootkit

August 30, 2010

We have just released Hitman Pro 3.5.6 build 112 BETA that is capable of removing the 64-bit TDL3 rootkit.

Downloads
64-bit: http://dl.surfright.nl/HitmanPro35beta_x64.exe
32-bit: http://dl.surfright.nl/HitmanPro35.exe

If you find any problems with this beta then contact us: support@hitmanpro.com


Hitman Pro detects 64-bit variant of TDL3 rootkit

August 26, 2010

Since build 79 (released on November 30, 2009) Hitman Pro is capable in detecting and removing the highly sophisticated TDL3 rootkit. Since then the rootkit has changed a dozen times to counteract the tools that were able to remove it.

A few days ago the TDL3 rootkit authors gave their creation a major update: support for 64-bit Windows.

64-bit Windows was always a problem for rootkits due to PatchGuard giving 64-bit Windows additional protection against this class of malware. Well no longer as the TDL3 rootkit took the leap to 64-bit!

We have made a video to illustrate that the 64-bit TDL3 rootkit works on Windows 7 Professional x64 and how it is detected (*) by Hitman Pro.

Our statistics show that this 64-bit rootkit is not yet widely spread. This is mainly caused by the fact that the rootkit needs more work as it is unstable. But you can expect the authors will improve their creation over the next few weeks, starting a new chapter in rootkit history.

*) The current build of Hitman Pro is not yet capable of removing the 64-bit TDL3 infection.


Large AV players jump on TDL3 bandwagon

June 28, 2010

Regular readers of our blog already know about the TDL3 rootkit (aka TDSS or Alureon). It is a rootkit that uses very sophisticated technology and it is able to remain undetected by most Antivirus products.

Recently this rootkit also attracted the attention of some of the larger players in the security industry, such as ESET (link), Kaspersky (link) and F-Secure (link). And it’s about time! It already made too many victims.

Microsoft reports that it managed to remove 360,000 TDL3 variants from infected computers using their Software Removal Tool (MSRT). But only since TDL3 drew Microsoft’s attention as TDL3 was incompatible with Microsoft’s MS10-015 patch, causing large number of computers to become unbootable.

Over 34% of all users that downloaded Hitman Pro in the past weeks was infected with the latest variant of the TDL3 rootkit. This variant (actively spreading since April 2010)  is a lot harder to detect and almost impossible to remove.

Most Antivirus products prevent the rootkit to infect the computer, which is a good thing. But unfortunately, only very few vendors are able to actually detect and remove the TLD3 rootkit after it has infected the computer.

Over the past months TDL3 has changed its stealth and protection several times to counteract the few (mostly dedicated) tools that were able to detect and remove it. Hitman Pro 3.5 is able to detect and remove the TDL3 rootkit, including the latest variant, since November 2009.


Hitman Pro 3.5.6 Released

June 21, 2010

After a few weeks of hard work we announce the release of  Hitman Pro version 3.5.6.

The biggest change in this release is detection and removal of the latest variants of TDL3 Rootkit (aka Alureon or TDSS) which is currently the most prevalent Rootkit. Besides some dedicated removal tools, Hitman Pro 3.5.6 is currently the only Anti-Malware application that is able to remove all current TDL3 infections.

In this release we have also  improved the removal of Trojans and Rootkits that are protected by a Kernel thread. These threads are serving as watchdog protecting a Rootkit’s vital hooks into the operating system. Hitman Pro now tries to knock out this watchdog  before removing the actual infection.

We have also added detection and removal of advertising and adult related Tracking Cookies from Internet Explorer, Firefox and Chrome. Removal of these Tracking Cookies is free and doesn’t require a license.

Finally we have added the Anti-Virus Ballot Screen which appears when the computer is not protected by an Anti-Virus program. The screen is offering products from our partners, bundled with a FREE Hitman Pro license!

Full Changelog

  • Latest TDL3 (aka Alureon) Rootkit detection and removal. Also works in Early Warning Scoring mode (ex. when the computer does not have an Internet connection to consult the Scan Cloud).
  • Added a sticky TDL3 Rootkit detection message. This message appears when the hard disk stack contains a reference to a hidden driver, typical TDL3 behavior.
  • Improved removal of Trojans and Rootkits that are protected by a Kernel thread.
  • Added removal of adware and adult related Tracking Cookies in Internet Explorer, Firefox and Chrome. Removal of these Tracking Cookies is free, does NOT require a license.
  • Improved Internet connection detection. I.e., when the connection is ex. hijacked by a local proxy, Hitman Pro will now attempt to bypass it.
  • Authenticode certificates are now handled on a separate thread.
  • Improved handling of files that contain resources with specially crafted data to make Anti-Virus software crash.
  • Small improvement in the hash classifier when performing a right-click scan.
  • New Anti-Virus Ballot Screen which appears when the computer is not protected by an Anti-Virus program, or when the computer is using an AV program that is not compatible with the Windows Security Center. This screen does not appear when you purchased a Hitman Pro license.
  • Return of the AV Scan Cloud vendor icons on the Welcome page.
  • Improved the Intelligent removal of malware related remnants.
  • Updated the French language strings.
  • Updated graphics. More color and detail.
  • Updated internal Whitelists.
  • Several other minor improvements.

The 32-bit version is available now here. Users will be automatically updated to the newest version.


Microsoft cures 260.000 TDL3 infections

May 3, 2010

Microsoft’s Malicious Software Removal Tool (MSRT) cleaned over 260,000 computers that were infected by Alureon (aka TDL3 or TDSS). See http://blogs.technet.com/mmpc/archive/2010/04/30/msrt-april-threat-reports-alureon.aspx for more details.

MSRT is effective against TDL3 up to version 2.273, but it has no effect against newer versions of TDL3 (spreading since April 2010). Hopefully Microsoft will be able to clean these soon. But the good news is that at least these 260,000 people were rescued.

From our own user base, we see that 32,610 computers were infected with TDL3 while 22,607 computers (69.3%) has an up-to-date AntiVirus program installed. Most AntiVirus programs will be able to prevent an infection. But after the machine is infected, many AntiVirus programs have difficulties detecting and removing an infection. TDL3 is spreading since October 2009.