In the last few days experts at Kaspersky Lab have detected new samples of the malicious program MAX++ (aka ZeroAccess). This Trojan first achieved notoriety for using advanced rootkit technology to hide its presence in a system. Back then, MAX++ only worked on x86 platforms; now it is capable of functioning on x64 systems!
Computers are infected using a drive-by attack on a browser and its components via the Bleeding Life exploit kit. In particular, Acrobat Reader (CVE 2010-0188, CVE 2010-1297, CVE 2010-2884, CVE 2008-2992) and Java (CVE 2010-0842, CVE 2010-3552) modules are prone to attack.
Fragment of the exploit kit code responsible for attacking a specific version of Acrobat Reader
If a computer is vulnerable to the exploits, then the MAX++ Trojan-Downloader is installed on the system. The downloader identifies the type – x86 or x64 – of system it is running on and downloads the appropriate MAX++ dropper (Backdoor.Win32.ZAccess.a/Backdoor.Win64.ZAccess.b).
Fragment of code that identifies the operating system’s
architecture before downloading the appropriate MAX++ dropper
The MAX++ dropper for x86 doesn’t differ much from its earlier incarnation. During installation it infects the system driver (Kaspersky Lab detects infected files as Rootkit.Win32.ZAccess.c) and loads it into the memory calling ntdll!NtLoadDriver. Loading of the driver into the memory is facilitated by the ImagePath parameter in the system registry key. This parameter contains a symbolic link to the infected driver. The dropper also creates a virtual volume in “$windirsystem32config” that is formatted in the NTFS file system and which works in conjunction with the malicious program’s driver. This is also where the dropper’s modules are stored. This variant of MAX++ runs on Windows XP/2003 and Windows 7/2008 32-bit operating systems.
Most interesting of all is when the downloader is run on an x64 system. This results in a dropper specially compiled for x64 systems being downloaded to the victim’s computer. This dropper does not contain a rootkit. It is usermode malware that replicates the behavior of an x32 rootkit except that its components are files and are stored in “$windirassembly” with similar directory structures. Autorun on x64 systems is provided by the registry key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystems”. The body of the dropper is placed in the system32 folder under the name consrv.dll. All the modules that the dropper downloads following its own installation are also designed for 64-bit platforms. The x64 version of MAX++ is installed by injecting itself into the services.exe process calling ntdll!NtQueueApcThread. What makes an infected x64 system difficult to treat is the malware’s autorun key: if the file is deleted without repairing the registry key, the BSOD will appear when the system attempts to boot.
The modules downloaded by MAX++ perform various actions – spoofing search results, Trojan-Clicker activity and downloading by command.
Kasperky Lab products successfully protect against MAX++. The exploits are detected as HEUR:Trojan-Downloader.Script.Generic, while the malicious program itself is detected using both standard and heuristic signatures.