ZeroAcces rootkit dominates, adds new persistence techniques
According to a recent report by Alcatel-Lucent subsidiary Kindsight, as much as 10 percent of home networks and over 0.5 percent of mobile devices are infected with malware, and the ZeroAccess botnet continues to be the most common malware threat, infecting 0.8 percent of broadband users.
The ZeroAcces (or Sirefef) rootkit ropes the infected computer into a huge peer-to-peer botnet that is currently being used for click fraud and Bitcoin mining. The rootkit is also capable of downloading additional malware.
A ZeroAccess is almost benign when compared with instances of information-stealing and banking malware – the main symptom of a computer being infected with it is that online searches via Google Search often lead to unhelpful pages filled with ads and equally useless links, which generates revenue for the its controllers and mild irritation for its victims.
The ZeroAccess botnet is continually growing, and there are many reasons behind its success. For one, the botmasters are using a lucrative Pay-Per-Install affiliate scheme to distribute the droppers. Secondly, it takes months for some users to notice that their computers are compromised.
Thirdly, the rootkit’s authors are constantly improving the malware and, according to Sophos‘ James Wyke, the latest update includes interesting new techniques to ensure that the malware is present and starts working every time the infected computer is powered up.
Instead of storing its files in folders in the Recycle Bin and then modifying them so the user can’t read from or write to them, the new ZeroAccess version drops them into the Program Files folder AND the user’s local AppData area.
The files are additionally masked by the name of the folder in which they are contained, which bears Google’s name, and filenames containing Unicode and right-to-left override characters that makes them both impossible for Windows to display and to find via Explorer. In addition to all this, the malware also repeats the scheme that makes it difficult for the inexperienced user to access the folder.
The payload has remained the same, and the botnet still mainly concentrates on click fraud, but it’s obvious that the malware is still under active development, and we can expect ZeroAccess to be a problem for a while yet.