Analysis of ZeroAccess Rootkit

When we write about ZeroAccess rootkit, it is essential to go back in 2009 and to remind when this rootkit had been discovered in the wild. It was the time of MBR rootkit and TDL2 rootkit “the second major release of the most advanced kernel mode rootkit currently in the wild“ when security researchers came across a new, previously unknown, rootkit able to kill most of security software as soon as they tried to scan specified folders in the system. ZeroAccess was creating a new kernel device object called __max++> , this is the reason why the rootkit has quickly become known in the security field as the max++ rootkit, also known as ZeroAccess due to a string found in the kernel driver code, presumably pointing to the original project folder called ZeroAccess (f: \VC5\release\ZeroAccess.pdb).

This rootkit was storing its code in two alternate data streams, win32k.sys:1 and win32k.sys:2. To avoid being detected, it was killing every security software that attempted to scan for alternate data streams. It created in the system folder a number of fake junctions (note: an NTFS junction point is a feature of the NTFS file system that allows a folder to be linked to another local folder, becoming an alias for such target folder) pointing to the fake rootkit device written above. When security software tried to scan such specified folders for Alternate Data Streams presence (FileStreamInformation class), the rootkit’s selfdefense queued a work item in the security process able to immediately kill it. It became a non-trivial job scanning the system without being killed.

Since then, ZeroAccess rootkit evolved, changing the way it infects the system, becoming yet more advanced and dangerous. In this paper we are going to analyse this threat and how it evolved to its current release.