Under the Hood of BKDR_ZACCESS

In the previous quarter, we reported that we protected against more than 142 million threats in the first half of 2012 alone. One prominent threat in this period was ZACCESS, which is also known as ZeroAccess or SIREFEF. It can push fake applications and other malware onto infected systems, while using its rootkit capabilities to hide from detection.

The table below shows Japan places 2nd in terms of infection ranking, followed by US. In fact, Japan Regional TrendLabs received a lot of queries from our customers, which also triggered our in-depth analysis.

Ranking Country Detection Count
1 United States 15,784
2 Japan 3390
3 Australia 3029
4 United Kingdom 2532
5 Canada 955
6 Brazil 766
7 France 479
8 Germany 440
9 Turkey 419
10 Philippines 358

Peer-to-peer functionality

Backdoors typically establish each session by connecting from affected PCs to command-and-control (C&C) servers in order to receive commands from attackers. However, it’s not the case that a corresponding session is established from the C&C servers to affected PCs. Based on our analysis of BKDR_ZACCESS, it establishes bidirectional connections with other infected machines using its P2P functionality. This helps reduce the load on its C&C servers, as well as making the network more robust against a potential takedown of its C&C servers. This allows it to send and receive commands between affected PCs and not using any C&C servers.

Because of this, BKDR_ZACCESS can both be a “client” and a “server”. When a PC affected by BKDR_ZACCESS functions as server, it sends commands or other malware as if it was a C&C server. On the other hand, it functions as a client, it connects to IP addresses of affected PCs in its configuration file and update the file. It can then attempt to downloads and execute other malware.

Thus, once infected by BKDR_ZACCESS, affected users can spread infections to other affected PCs. At the same time, they are affected by this malware as a victim.

Hash values in UDP connections

BKDR_ZACCESS drops a file named “@” in the %Windows%\Installer\{CLSID} directory. This file stores the setting that it gets from C&C servers or other machines. The file contains a list of IP addresses and timestamps as follows:

The @ file contains 256 IP addresses of affected PCs. This means that it attempts to connect to 256 IP addresses as a client and to receive commands. BKDR_ZACCESS requires at least 256 connections, so it uses UDP connections, which is fast and suitable for one-to-many traffic.

Because the UDP does not have any native error-checking, BKDR_ZACCESS inserts a hash value into the sent data and checks the hash value of the received data.

Using the Cabinet File Format (.CAB)

BKDR_ZACCESS drops different malware depending on the conditions such as the installed Windows version (32-bit or 62-bit), available administrator privileges, and other criteria. Because of this, it needs to have files for each condition; for this it uses Microsoft’s Cabinet File Format (.CAB).

The executable binary data has been compressed inside the Cabinet File, so it is very hard to confirm the that the executable data by checking the file’s contents (without uncompressing it). Also, BKDR_ZACCESS does not place the Cabinet File on the hard drive, but only in memory.

Code Injection

BKDR_ZACCESS dynamically and continuously creates code that is injected into newly allocated memory using an unknown packer, which is then run. We’ve found that is frequently uses the Microsoft Windows Native API which isn’t been used by other malware. Then, as seen in the following figure, it injects its code into multiple legitimate processes.

  1. BKDR_ZACCESS injects its code into legitimate processes such as explorer.exe and service.exe after it drops its configuration file.
  2. The malicious code injected into explorer.exe makes some Windows functions related to security software like the “Security Center” not start properly.

  3. The malicious code injected into service.exe carries out its P2P functions described earlier. The payloads are stored in the %Windows%\Installer\{CLSID} folder.
  4. The attackers can send code to be run at the command prompt as well. Among other possibilities, this allows BKDR_ZACCESS to terminate its processes and to delete BKDR_ZACCESS itself.

What’s this number for?

During the analysis of BKDR_ZACCESS, we found the following number:

This number shows the number of the connections made to C&C servers. This means that at that time, there were almost 35 million active connections between the servers and affected PCs.

Why did the attackers add this capability? Some variants of ZACCESS can send spam mails. It is possible that this number is in some underground markets related to cybercrime. In addition, the attackers can use this number to gauge which tactics are successful in infecting users.

Trend Micro solutions

Trend Micro protects users from this threat via the Smart Protection Network™. In particular, the File Reputation Service detects and deletes ZACCESS variants. Web Reputation Services also effectively blocks access to websites hosting ZACCESS and its C&C servers.

In addition, Trend Micro Deep Security can detect files dropped or downloaded by BKDR_ZACCESS using Integrity Monitoring. Trend Micro Deep Discovery also provides network visibility on this threat’s initial entry as well as track potentially compromised end-points that is initiating ZACCESS C&C communications.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

Under the Hood of BKDR_ZACCESS

Read more: Under the Hood of BKDR_ZACCESS

Story added 6. November 2012, content source with full text you can find at link above.