Saturday, February 11, 2012

Max++ / Sirefef / ZeroAccess Rootkit Analysis and Full Removal Procedure by Thisisu - Volume IV


Yesterday when I was only looking for FakeAVs to analyze, I ended up getting a surprise which was a ZeroAccess rootkit. After months of purposely trying to infect a virtual machine with this rootkit (so I didn't have to keep infecting my own live computer with it for analysis purposes), I had pretty much convinced myself that every ZeroAccess dropper had some sort of anti "VMdetect" code which blocked me from doing so. So after making three videos of me infecting my own computer with three different ZeroAccess droppers (and learning A LOT!), I resorted to posting the results of other live machines I encountered with the rootkit.

These two videos show me injecting a virtual machine with about 8 droppers that were labeled "Fake AV / Fake Recovery". Turns out one of them infected my Windows XP virtual machine with ZeroAccess too :)

So without further a due.. here is my experience recorded on video:

If you enjoyed the videos, subscribe to my blog or leave me a comment :-)

No comments:

Post a Comment