ZACCESS/SIREFEF arrives with new infection technique
Jump to navigation
Jump to search
(Publication) Google search: [1]
| ZACCESS/SIREFEF arrives with new infection technique | |
|---|---|
| Botnet | ZeroAccess |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / 14 aug2012 |
| Editor/Conference | Trend Micro |
| Link | http://blog.trendmicro.com/zaccesssirefef-arrives-with-new-infection-technique/ (Archive copy) |
| Author | Manuel Gatbunton |
| Type | |
Abstract
“ During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1092,
editor = {Trend Micro},
author = {Manuel Gatbunton},
title = {ZACCESS/SIREFEF arrives with new infection technique},
date = {14},
month = Aug,
year = {2012},
howpublished = {\url{http://blog.trendmicro.com/zaccesssirefef-arrives-with-new-infection-technique/}},
}