Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit
(Publication) Google search: [1]
Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit | |
---|---|
Botnet | |
Malware | ZeroAccess, Max++, Smiscer |
Botnet/malware group | |
Exploit kits | |
Services | |
Feature | |
Distribution vector | |
Target | |
Origin | |
Campaign | |
Operation/Working group | |
Vulnerability | |
CCProtocol | |
Date | 2010 / 12 novembre 2010 |
Editor/Conference | Infosec Institute |
Link | http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ resources.infosecinstitute.com (resources.infosecinstitute.com Archive copy) |
Author | Giuseppe Bonfa |
Type |
Abstract
“ This four part article series is a complete step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit. ZeroAcess is also known as the Smiscer or Max++ rootkit. You can either read along to gain an in-depth understand the thought process behind reverse engineering modern malware of this sophistication. The author prefers that you download the various tools mentioned within and reverse the rookit yourself as you read the article. If you would like to use the malware sample used in these articles, download it here: Max++ Malware. Note that this archive is password protected and the password is infected.
InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR827, editor = {Infosec Institute}, author = {Giuseppe Bonfa}, title = {Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit}, date = {Error: Invalid time.}, month = Error: Invalid time., year = {2010}, howpublished = {\url{http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/ resources.infosecinstitute.com}}, }