Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.

    Investigating these cases further using the Trend Micro™ Smart Protection Network™, we were able to locate the main malware (BKDR_ZACCESS.SMQQ) responsible for patching services.exe. We also identified all of the components related to its infection routine. We found that the infection started with the execution of K-Lite Codec Pack.exe (downloaded by the user) and resulted to the patching and executing of the patched services.exe.

    ZACCESS Social Engineering Technique

    This malware propagates by bundling the main malware in crack/keygen applications or game installers. It can also disguise itself as a required codec that needs to be installed to play a downloaded movie via peer-to-peer (P2P) applications, which can be found on sites dedicated to keygen apps or in P2P services. Below are some of the names used. Note that these file names contain popular movies:

    Downloaded binary via P2P:

    • %P2P DL folder%The_Hunger_Games_2012_DVDRip_XviD_AMVK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%Alien_1979_DVDRip_XviD_FKGK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%The_Amazing_Spider-Man_2012_DVDRip_XviD_YKGK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%John_Carter_2012_DVDRip_XviD_IINK-Lite Codec Pack 9.0.exe
    • %P2P DL folder%The_Dark_Knight_Rises_2012_DVDRip_XviD_QEVK-Lite Codec Pack 9.0.exe

    %P2P DL folder% refers to the P2P folder where the file is being saved after downloading it.
    Downloaded binary via direct download:

    • Diablo_III_crack.exe
    • Microsoft_Office_Professional.crack.exe
    • Youtube_Grabber_Keygen.exe

    Binary Planting Technique

    Once installed, the main ZACCESS dropper (detected as BKDR_ZACCESS.KP) checks the current user privileges. If the user is an administrator, the malware continues its installation routine. But if the user is a non-administrator user, the malware elevates its privileges to proceed with malware installation. The malware drops and executes BKDR_ZACCESS.SMQQ, which causes a User Account Control (UAC) notification to appear onscreen.

    When it appears, users may possibly not allow the file to execute, thinking that the file is suspicious, halting the ZACCESS installation. To bypass this, ZACCESS forces the UAC dialog box to pop up by executing a non-malicious Adobe Flash installer (InstallerFlashPlayer.exe).

    To do this, ZACCESS drops InstallerFlashPlayer.exe and the malicious file msimg32.dll (BKDR_ZACCESS.SMQQ) in the user temporary folder. This technique is known as binary planting, a form of DLL Search Order abuse, that ensures the loading of the ZACCESS malicious code into the InstallerFlashPlayer process address when it is executed. By default, when InstallerFlashPlayer.exe is executed, Windows looks for the msimg32.dll in the current folder before searching the Windows system folder. Because BKDR_ZACCESS.KP dropped the malicious msimg32.dll into the current directory, Windows loads the malicious code instead of the original one.

    ZACCESS now successfully launches the UAC dialog box of AdobeFlashPlayer.exe. Users may think that this is legitimate and continue to install Adobe Flash Player. While installing it, ZACCESS silently infects the victim machine in the background.

    Microsoft enabled the SafeDLLSearchMode by default starting with Windows Vista to Windows 7. This is disabled by default on Windows XP. However, enabling SafeDLLSearchMode is not much of a help in this scenario because the malware places the malicious DLL in the directory where the application is loaded, which is the first location where Windows searches for a DLL.

    Infection Worldwide

    Our research noted a sudden increase in ZACCESS/SIREFEF infections in July 2012. Based on the data we gathered from the Smart Protection Network™, below is a chart representing the number of affected machines by this new ZACCESS variant:

    In particular, the chart above indicates a 54.29% increase in infection recorded between July 14 to July 15. A sudden increase of infections (18.85%) also occurred on July 23.

    Among countries affected, the United States had the most number of infections compared to other countries such as Japan, Australia and the United Kingdom.

    Country Infection Count
    US 11078
    Japan 1954
    Australia 1417
    UK 856
    Germany 649
    France 479
    Others 3103

    Trend Micro users need not worry as they are protected from this threat via the Smart Protection Network™. In particular, web reputation service blocks the URLs where ZACESS variants can be downloaded, while file reputation service detects and deletes BKDR_ZACCESS.KP and BKDR_ZACCESS.SMQQ. Users should also be cautious when downloading files from untrusted sources or P2P networks.

    With additional inputs from Brian Cayanan.

    Coming Soon: The TrendLabs Security Intelligence Blog will be the new Malware Blog

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Brian

      I just spent 4 hours over the weekend cleaning this virus off my parents PC. They were running Titanium 2012 so there is still an issue with this virus. This is the only virus to get through in the last 10 years running Trend Micro products, so I know it’s a tough one. Please keep up the good work.

      • Ani

        just got infected… how did u clean up? machine keeps restarting


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice