Feeds

Whitehat cracks notorious rootkit wide open

ZeroAccess no more

Intelligent flash storage arrays

A malware analyst has deconstructed a highly advanced piece of crimeware believed to be the work of the notorious Russian Business Network

The step-by-step instructions for reverse engineering the stealthy ZeroAccess rootkit is a blow to its developers, who took great care to make sure it couldn't be forensically analyzed. The tutorial means other malware researchers may also study the malware to close in on the people behind it and to better design products that can safeguard against it.

The analysis was written by Giuseppe Bonfa, a malware researcher specializing in reverse engineering at InfoSec Institute, an information security services company. It documents a rootkit that's almost impossible to remove without damaging the host operating system and uses low-level programming calls to create hard disk volumes that are virtually impossible to detect using normal forensic techniques. Sophos's description of the rootkit, which is also known as Smiscer, is here.

“This document shows the inner workings of a recent rootkit which has very advanced technologies,” Pierre-Marc Bureau, a researcher with antivirus provider Eset, wrote in an email. “This teaches a lot in terms of rootkit technologies, how these malware are operated (pay per download in this case), how they are installed on a system, and how they can be detected.”

According to Bonfa, malicious URLs unearthed from the disassembled rootkit use IP addresses associated with the Russian Business Network. ZeroAccess is currently being used as a platform for installing fake antivirus software, but it could obviously be used to force install any software of the author's bidding. ®

Security for virtualized datacentres

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Shellshock over SMTP attacks mean you can now ignore your email
'But boss, the Internet Storm Centre says it's dangerous for me to reply to you'
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
China is ALREADY spying on Apple iCloud users, claims watchdog
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.