During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.
Investigating these cases further using the Trend Micro™ Smart Protection Network™, we were able to locate the main malware (BKDR_ZACCESS.SMQQ) responsible for patching services.exe. We also identified all of the components related to its infection routine. We found that the infection started with the execution of K-Lite Codec Pack.exe (downloaded by the user) and resulted to the patching and executing of the patched services.exe.
ZACCESS Social Engineering Technique
This malware propagates by bundling the main malware in crack/keygen applications or game installers. It can also disguise itself as a required codec that needs to be installed to play a downloaded movie via peer-to-peer (P2P) applications, which can be found on sites dedicated to keygen apps or in P2P services. Below are some of the names used. Note that these file names contain popular movies:
Downloaded binary via P2P:
- %P2P DL folder%The_Hunger_Games_2012_DVDRip_XviD_AMVK-Lite Codec Pack 9.0.exe
- %P2P DL folder%Alien_1979_DVDRip_XviD_FKGK-Lite Codec Pack 9.0.exe
- %P2P DL folder%The_Amazing_Spider-Man_2012_DVDRip_XviD_YKGK-Lite Codec Pack 9.0.exe
- %P2P DL folder%John_Carter_2012_DVDRip_XviD_IINK-Lite Codec Pack 9.0.exe
- %P2P DL folder%The_Dark_Knight_Rises_2012_DVDRip_XviD_QEVK-Lite Codec Pack 9.0.exe
%P2P DL folder% refers to the P2P folder where the file is being saved after downloading it.
Downloaded binary via direct download:
Binary Planting Technique
Once installed, the main ZACCESS dropper (detected as BKDR_ZACCESS.KP) checks the current user privileges. If the user is an administrator, the malware continues its installation routine. But if the user is a non-administrator user, the malware elevates its privileges to proceed with malware installation. The malware drops and executes BKDR_ZACCESS.SMQQ, which causes a User Account Control (UAC) notification to appear onscreen.
When it appears, users may possibly not allow the file to execute, thinking that the file is suspicious, halting the ZACCESS installation. To bypass this, ZACCESS forces the UAC dialog box to pop up by executing a non-malicious Adobe Flash installer (InstallerFlashPlayer.exe).
To do this, ZACCESS drops InstallerFlashPlayer.exe and the malicious file msimg32.dll (BKDR_ZACCESS.SMQQ) in the user temporary folder. This technique is known as binary planting, a form of DLL Search Order abuse, that ensures the loading of the ZACCESS malicious code into the InstallerFlashPlayer process address when it is executed. By default, when InstallerFlashPlayer.exe is executed, Windows looks for the msimg32.dll in the current folder before searching the Windows system folder. Because BKDR_ZACCESS.KP dropped the malicious msimg32.dll into the current directory, Windows loads the malicious code instead of the original one.
ZACCESS now successfully launches the UAC dialog box of AdobeFlashPlayer.exe. Users may think that this is legitimate and continue to install Adobe Flash Player. While installing it, ZACCESS silently infects the victim machine in the background.
Microsoft enabled the SafeDLLSearchMode by default starting with Windows Vista to Windows 7. This is disabled by default on Windows XP. However, enabling SafeDLLSearchMode is not much of a help in this scenario because the malware places the malicious DLL in the directory where the application is loaded, which is the first location where Windows searches for a DLL.
Our research noted a sudden increase in ZACCESS/SIREFEF infections in July 2012. Based on the data we gathered from the Smart Protection Network™, below is a chart representing the number of affected machines by this new ZACCESS variant:
In particular, the chart above indicates a 54.29% increase in infection recorded between July 14 to July 15. A sudden increase of infections (18.85%) also occurred on July 23.
Among countries affected, the United States had the most number of infections compared to other countries such as Japan, Australia and the United Kingdom.
Trend Micro users need not worry as they are protected from this threat via the Smart Protection Network™. In particular, web reputation service blocks the URLs where ZACESS variants can be downloaded, while file reputation service detects and deletes BKDR_ZACCESS.KP and BKDR_ZACCESS.SMQQ. Users should also be cautious when downloading files from untrusted sources or P2P networks.
With additional inputs from Brian Cayanan.