Difference between revisions of "ZACCESS/SIREFEF arrives with new infection technique"

(Publication) Google search: [1]

Abstract

“ During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1092,
   editor = {Trend Micro},
   author = {Manuel Gatbunton},
   title = {ZACCESS/SIREFEF arrives with new infection technique},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{http://blog.trendmicro.com/zaccesssirefef-arrives-with-new-infection-technique/ blog.trendmicro.com}},
 }