Name
Zero Access Rootkit (ZAccess)
Detection names
Sophos Troj/ZAccess-L, Troj/ZAccess-I, HPmal/ZAccess-A
Kaspersky Backdoor.Win64.ZAccess.a, Backdoor.Win32.ZAccess.ob, Trojan-Dropper.Win32.Injector.cplo
Avira RKIT/ZeroAccess.A
McAfee W32/Sirefef.k, ZeroAccess.cf
Trend Micro TROJ_ADSZAC.SM, TROJ_SIREFEF.BX
Microsoft Trojan:Win32/Sirefef.N, Trojan:Win32/Sirefef.J, Trojan:Win64/Sirefef.B
Symantec Trojan.ADH.2, Trojan.Zeroaccess.B
Affected OS or Software
Microsoft Windows
Basic description
Zero Access is a family of rootkits and backdoors. It uses rootkit techniques to hide from security software while allowing remote attackers to control infected computers.
Zero Access is commonly used to redirect a user's web traffic.
Related links
Not such a nice hack nice pack
Defending against the threat
Zero Access is commonly distributed via malicious websites, making web security both at the gateway and endpoint level a useful defense. Endpoint scanning that includes behavioral analysis is also helpful in identifying new variants as they are created.
Patches
Although Zero Access itself does not directly take advantage of security vulnerabilities it is often distributed using exploit packs such as Nice Pack or Blackhole which exploit a variety of vulnerabilities. As such a comprehensive patching strategy is recommended, covering operating system, browser and browser plugins.
Sophos technologies
Sophos Web Security and Control in addition to web protection in Sophos Endpoint Protection can provide protection against web based delivery of Zero Access. Additionally Sophos Endpoint Security's behavioral detection technology can identify Zero Access' attempts to install.
Technical description
Zero Access is a family of rootkits with backdoor functionality.
In order to receive instructions Zero Access algorithmically generates a list of command and control servers to contact, a technique that first saw widespread use by Conficker. This makes it more difficult to track command and control servers and block the rootkits communications. Once installed Zero Access can be used to redirect a user's web traffic, for example by redirecting their search results to pages that earn money for the criminals operating the Zero Access network.
Versions of Zero Access use a variety of techniques to conceal their presence on a PC. The most effective technique is the addition of a driver which intercepts disk access and masks the presence of the rootkits files. In addition the rootkit stores files in an encrypted filesystem created inside the Windows system folder. Some versions of Zero Access replace code in a randomly chosen driver file in order to ensure that Windows loads the rootkit code and others use files with alternate data streams in an attempt to hide from security scanners.
Zero Access is often distributed as a payload delivered by web based exploit kits.