Malware descriptions

MAX++ sets its sights on x64 platforms

In the last few days experts at Kaspersky Lab have detected new samples of the malicious program MAX++ (aka ZeroAccess). This Trojan first achieved notoriety for using advanced rootkit technology to hide its presence in a system. Back then, MAX++ only worked on x86 platforms; now it is capable of functioning on x64 systems!

Computers are infected using a drive-by attack on a browser and its components via the Bleeding Life exploit kit. In particular, Acrobat Reader (CVE 2010-0188, CVE 2010-1297, CVE 2010-2884, CVE 2008-2992) and Java (CVE 2010-0842, CVE 2010-3552) modules are prone to attack.

Fragment of the exploit kit code responsible for attacking a specific version of Acrobat Reader

If a computer is vulnerable to the exploits, then the MAX++ Trojan-Downloader is installed on the system. The downloader identifies the type – x86 or x64 – of system it is running on and downloads the appropriate MAX++ dropper (Backdoor.Win32.ZAccess.a/Backdoor.Win64.ZAccess.b).

Fragment of code that identifies the operating system’s
architecture before downloading the appropriate MAX++ dropper

The MAX++ dropper for x86 doesn’t differ much from its earlier incarnation. During installation it infects the system driver (Kaspersky Lab detects infected files as Rootkit.Win32.ZAccess.c) and loads it into the memory calling ntdll!NtLoadDriver. Loading of the driver into the memory is facilitated by the ImagePath parameter in the system registry key. This parameter contains a symbolic link to the infected driver. The dropper also creates a virtual volume in “$windirsystem32config” that is formatted in the NTFS file system and which works in conjunction with the malicious program’s driver. This is also where the dropper’s modules are stored. This variant of MAX++ runs on Windows XP/2003 and Windows 7/2008 32-bit operating systems.

Most interesting of all is when the downloader is run on an x64 system. This results in a dropper specially compiled for x64 systems being downloaded to the victim’s computer. This dropper does not contain a rootkit. It is usermode malware that replicates the behavior of an x32 rootkit except that its components are files and are stored in “$windirassembly” with similar directory structures. Autorun on x64 systems is provided by the registry key “HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerSubSystems”. The body of the dropper is placed in the system32 folder under the name consrv.dll. All the modules that the dropper downloads following its own installation are also designed for 64-bit platforms. The x64 version of MAX++ is installed by injecting itself into the services.exe process calling ntdll!NtQueueApcThread. What makes an infected x64 system difficult to treat is the malware’s autorun key: if the file is deleted without repairing the registry key, the BSOD will appear when the system attempts to boot.

The modules downloaded by MAX++ perform various actions – spoofing search results, Trojan-Clicker activity and downloading by command.

Kasperky Lab products successfully protect against MAX++. The exploits are detected as HEUR:Trojan-Downloader.Script.Generic, while the malicious program itself is detected using both standard and heuristic signatures.

MAX++ sets its sights on x64 platforms

Your email address will not be published. Required fields are marked *



The leap of a Cycldek-related threat actor

The investigation described in this article started with one such file which caught our attention due to the various improvements it brought to this well-known infection vector.

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Subscribe to our weekly e-mails

The hottest research right in your inbox