During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.
Investigating these cases further using the Trend Micro™ Smart Protection Network™, we were able to locate the main malware (BKDR_ZACCESS.SMQQ) responsible for patching services.exe. We also identified all of the components related to its infection routine. We found that the infection started with the execution of K-Lite Codec Pack.exe (downloaded by the user) and resulted to the patching and executing of the patched services.exe.
ZACCESS Social Engineering Technique
This malware propagates by bundling the main malware in crack/keygen applications or game installers. It can also disguise itself as a required codec that needs to be installed to play a downloaded movie via peer-to-peer (P2P) applications, which can be found on sites dedicated to keygen apps or in P2P services. Below are some of the names used. Note that these file names contain popular movies:
Downloaded binary via P2P:
- %P2P DL folder%The_Hunger_Games_2012_DVDRip_XviD_AMVK-Lite Codec Pack 9.0.exe
- %P2P DL folder%Alien_1979_DVDRip_XviD_FKGK-Lite Codec Pack 9.0.exe
- %P2P DL folder%The_Amazing_Spider-Man_2012_DVDRip_XviD_YKGK-Lite Codec Pack 9.0.exe
- %P2P DL folder%John_Carter_2012_DVDRip_XviD_IINK-Lite Codec Pack 9.0.exe
- %P2P DL folder%The_Dark_Knight_Rises_2012_DVDRip_XviD_QEVK-Lite Codec Pack 9.0.exe
%P2P DL folder% refers to the P2P folder where the file is being saved after downloading it.
Downloaded binary via direct download: