Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRE
T//
NOFORN
Pique Analysis Report
20150807-251-S
yma
ntec-ZeroAccess Ind
ep
th
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 07 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This 2013 report covers the well-known malware sample known as ZeroAccess. The
aspect of ZeroAccess that makes it most interesting is its peer-to-peer (P2P) command and
control architecture, which is fairly unique in malware. ZeroAccess does not use dedicated
command and control (C2) servers, rather it uses P2P to distribute its communications network.
Each infected machine acts as both a client and a server. The downside of a P2P comms
architecture is the relative “chattiness” of the network in updating the infected machines about
the growing and ever changing IP addresses of infected machines. ZeroAccess has been observed
conducting bit coin mining and click fraud.
(S//NF) There are four distinct variants of the ZeroAccess malware:
Version 1 Type I, II, and III
Version 2 Type IV
Type I dates back to early 2011 and contains a rootkit component that is installed as a device
driver and used to access a hidden NTFS file system. Type I also contains a tripwire device
driver that monitors the infected system for behavior indicating anti-virus applications.
Specifically, the tripwire driver watches for processes with high registry access counts. If a
process examines more than 50 service registry key entries in a short period, the process is
suspended. We assume the report means the anti-virus process is suspended and not the malware,
but it isn’t clear.
Type II first appeared in July 2012 and contains the same rootkit component as Type I but hides
its files in a different directory than Type I. Type II also contains the same tripwire component as
Type I.
Type III was first observed in the fall of 2012 and is identical to Type II but with the tripwire
driver removed.
Type IV appeared in late 2012/early 2013 and represents a major overhaul of the ZeroAccess
malware. This version ported the rootkit component to user-mode and emphasizes UDP
communications instead of TCP.
(S//NF) ZeroAccess is at its core a framework used to load additional malware components.
ZeroAccess can be purchased on underground gray market websites. There are different levels of
support that can be procured, the top-level support costing $120K per year.
(S//NF) The most interesting aspect of this report is the described detection and defeat of anti-
virus products, specifically monitoring for high counts of registry key access in a short period of
time. We recommend this technique be developed as a PoC.
2.0 (U) Description of the Technique
(S//NF) The technique recommended for PoC monitors registry key access and triggers on
processes with high registry key access in a short period of time. If detected, those processes are
terminated.

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh