Sunday, October 23, 2011

Max++/Sirefef/ZeroAccess Rootkit Analysis

 

September 2011 max++/sirefef/zaccess sample used.

ComboFix did warn that TCP/IP was infected as well but I didn't capture that footage unfortunately. The video program I was using must have closed. The same happened when I was testing RKill and RogueKiller. Both were unsuccessful.

Prior to removing any components of infection, here are the results of various tools:

webroot's antiza tool v0.8.0.1 = PASS
tdsskiller v2.6.2.0 = PASS
hitman pro v3.5.9.130 = PASS
aswmbr v0.9.8.986 = FAIL (was shutdown during middle of scan)
ntfsaccess v2.1 = FAIL (did not restore permissions while rootkit was active, restored permissions successfully afterwards)
grantperms v3.3.6.1 = FAIL
rkill (.scr, .com, and .exe versions) = FAIL
roguekiller (winlogon.exe) v6.1.1.0 = FAIL (reports it terminated process, but process is still running in taskmgr)
mbam (mb.exe) v1.51.2.1300 = FAIL (shuts down within ~10 seconds)
sas v5.0.1128 = FAIL (shuts down within ~25 seconds)
processexplorer = FAIL (shutdown immediately after injection)

No comments:

Post a Comment