Difference between revisions of "The ZeroAccess rootkit"

From Botnets.fr
Jump to navigation Jump to search
(No difference)

Revision as of 20:18, 1 November 2012

(Publication) Google search: [1]

The ZeroAccess rootkit
Botnet ZeroAccess
Malware ZeroAccess (bot)
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
CCProtocol DGA
Date 2012 /
Editor/Conference Sophos
Link http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess.aspx www.sophos.com (www.sophos.com Archive copy)
Author James Wyke


ZeroAccess is a sophisticated kernel-mode rootkit that is rapidly becoming one of the

most widespread threats in the current malware ecosystem. ZeroAccess’ ability to run on both 32-bit and 64-bit versions of Windows, resilient peer-to-peer command and control infrastructure and constant updates to its functionality over time show that ZeroAccess is a modern threat capable of thriving on modern networks and modern Operating Systems. In this paper we will explore the ZeroAccess threat; from the distribution mechanisms used to spread it, through the installation procedure, memory residence and payload. We examine how ZeroAccess works and what its ultimate goal is.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR986,
   editor = {Sophos},
   author = {James Wyke},
   title = {The ZeroAccess rootkit},
   date = {02},
   month = Jun,
   year = {2012},
   howpublished = {\url{http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess.aspx www.sophos.com}},