Re: Computer forensics training Oct 31 2010 10:14PM
Ntpeck (ntpeck yahoo com) (1 replies)
RE: Computer forensics training Nov 08 2010 04:50PM
Don Raikes (DON RAIKES ORACLE COM) (1 replies)
Re: Computer forensics training Nov 10 2010 12:08PM
James Powell (jameskentonpowell googlemail com) (1 replies)
Reverse Engineering the Source of the ZeroAccess Crimeware Rootkit Nov 15 2010 07:01PM
Adam Behnke (adam infosecinstitute com)
Hello forensics friends, we recently undertook a project to update the
hands-on labs in our Reverse Engineering Malware course, and one of our
InfoSec Resources Authors, Giuseppe "Evilcry" Bonfa defeated all of the
anti-debugging and anti-forensics features of ZeroAccess and traced the
source of this crimeware rootkit:

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced
rootkit. It has 4 main components that we will reverse in great detail in
this series of articles. ZeroAccess is a compartmentalized crimeware rootkit
that serves as a platform for installing various malicious programs onto
victim computers. It also supports features to make itself and the installed
malicious programs impossible for power-users to remove and very difficult
security experts to forensically analyze.

At the conclusion of the analysis, we will trace the criminal origins of the
ZeroAccess rootkit. We will discover that the purpose of this rootkit is to
set up a stealthy, undetectable and un-removable platform to deliver
malicious software to victim computers. We will also see that ZeroAccess is
being currently used to deliver FakeAntivirus crimeware applications that
trick users into paying $70 to remove the "antivirus". It could be used to
deliver any malicious application, such as one that steals bank and credit
card information in the future. Further analysis and network forensics
supports that ZeroAccess is being hosted and originates from the Ecatel
Network, which is controlled by the cybercrime syndicate RBN (Russian
Business Network).

Symantec reports that 250,000+ computers have been infected with this
rootkit. If 100% of users pay the $70 removal fee, it would net a total of
$17,500,000. As it is not likely that 100% of users will pay the fee,
assuming that perhaps 30% will, resulting $5,250,000 in revenue for the RBN
cybercrime syndicate.

It has the following capabilities:

1. Modern persistence hooks into the OS - Make it very difficult to
remove without damaging the host OS
2. Ability to use a low level API calls to carve out new disk volumes
totally hidden from the infected victim, making traditional disk forensics
impossible or difficult.
3. Sophisticated and stealthy modification of resident system drivers
to allow for kernel-mode delivery of malicious code
4. Advanced Antivirus bypassing mechanisms.
5. Anti Forensic Technology - ZeroAccess uses low level disk and
filesystem calls to defeat popular disk and in-memory forensics tools
6. Serves as a stealthy platform for the retrieval and installation of
other malicious crimeware programs
7. Kernel level monitoring via Asynchronous Procedure Calls of all
user-space and kernel-space processes and images, and ability to seamlessly
inject code into any monitored image

Certify Software Integrity - thawte Code Signing Certificates
This guide will show you how Code Signing Certificates are used to secure code that can be downloaded from the Internet. You will also learn how these certificates operate with different software platforms.;5000;25;1371;0;2;946;005be7f5c8

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus