Saturday, February 18, 2012

ZeroAccess Authors Are Now Faking Company Name: Oak Technology Inc.

First, I should mention that, Oak Technology Inc is a legitimate company that designs, develops, and markets high-performance multimedia semiconductors and related software to original equipment manufacturers worldwide who serve the multimedia PC, digital video consumer electronics, and digital office equipment markets. For more information, read here: Wiki

Similar to how many malware authors fake the company name: Microsoft Corporation, to avoid detection and removal of their files, services, and drivers, it seems now the authors behind ZeroAccess are going for a more subtle approach with Oak Technology Inc.

The latest ZeroAccess infections which MBAM labels RootKit.0Access.H include a malicious .DLL file in the C:\WINDOWS\system32 directory. For example:  C:\WINDOWS\system32\downloadmanagerlite.dll

MalwareBytes's Anti-Malware seems to be on top of this but one thing it neglects is the ability to find and remove the bad NetSvcs (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost|netsvcs) data value associated with this .DLL

For example, this was taken from an OTL log (Old Timer's List It) with this new variant of ZeroAccess:

NetSvcs: ksthunk - C:\WINDOWS\system32\downloadmanagerlite.dll (Oak Technology Inc.)

So as you can see, not only is there a bad .DLL file in system32 (downloadmanagerlite.dll), but it is also tied into a bad NetSvcs data value (ksthunk).

That's not the end of it though. There is also a bad service, usually with the same name as the NetSvcs data value.

The below was also taken from an OTL log:

SRV - [2008/04/13 17.14.22 | 000,005,632 | ---- | M] (Oak Technology Inc.) [Auto | Running] -- C:\WINDOWS\system32\downloadmanagerlite.dll -- (ksthunk)

This service (ksthunk) is also problematic and needs to be stopped and deleted.

To ensure complete removal, all three components need to be deleted.

Symptoms include:
High CPU usage
"Wild ping" which I assume means ping.exe is constantly being used.

Just providing some examples from what others have mentioned

With this rootkit constantly being improved, expect other legitimate company names to be used.

Just something to look out for :-)


=========================================
Edit: MBAM can now find and delete NetSvcs data values!
=========================================

Just saw the below in one of the threads I am currently working on:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost|netsvc (TrojanProxy.Agent) -> Data: SPService^n^ -> Quarantined and deleted successfully.

4 comments:

  1. Do you have a copy of this variant? If so can you send me a copy? I will see what has changed in this 'R' version.

    ReplyDelete
  2. Hi,

    Unfortunately I do not. I have been wanting to experiment with it first hand too.

    What do you mean by 'R' version?

    ReplyDelete
  3. Typo. Anyways, If you get the MD5 hash or a sample leave me message.

    ReplyDelete
    Replies
    1. md5 = 1c99feb7645918e387d86d4f5f65a106

      Enjoy ;)

      Delete