Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit

Jump to navigation Jump to search

(Publication) Google search: [1]

Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit
Malware ZeroAccess, Max++, Smiscer
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2010 / 12 novembre 2010
Editor/Conference Infosec Institute
Link ( Archive copy)
Author Giuseppe Bonfa


This four part article series is a complete step-by-step tutorial on how to reverse engineer the ZeroAccess Rootkit. ZeroAcess is also known as the Smiscer or Max++ rootkit. You can either read along to gain an in-depth understand the thought process behind reverse engineering modern malware of this sophistication. The author prefers that you download the various tools mentioned within and reverse the rookit yourself as you read the article. If you would like to use the malware sample used in these articles, download it here: Max++ Malware. Note that this archive is password protected and the password is infected.

InfoSec Institute would classify ZeroAccess as a sophisticated, advanced rootkit. It has 4 main components that we will reverse in great detail in this series of articles. ZeroAccess is a compartmentalized crimeware rootkit that serves as a platform for installing various malicious programs onto victim computers. It also supports features to make itself and the installed malicious programs impossible for power-users to remove and very difficult security experts to forensically analyze.


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2010BFR827,
   editor = {Infosec Institute},
   author = {Giuseppe Bonfa},
   title = {Step-by-step reverse engineering malware: ZeroAccess / Max++ / Smiscer crimeware rootkit},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2010},
   howpublished = {\url{}},