ZeroAccess anti-debug uses debugger
Jump to navigation
Jump to search
(Publication) Google search: [1]
| ZeroAccess anti-debug uses debugger | |
|---|---|
| Botnet | ZeroAccess |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / 2013-07-25 |
| Editor/Conference | Malwarebytes |
| Link | http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/ (Archive copy) |
| Author | Joshua Cannell |
| Type | Blogpost |
Abstract
“ The technique employs various native Win32 APIs used for debugging a process. By using these APIs, the analyst cannot use their own debugger, since only one debugger can be attached to a process at a time.
To connect to the debugger at the API level, the Trojan uses DbgUIConnectToDbg. This API along with others used to communicate with the Windows Debugger all seem to be undocumented by Microsoft.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1356,
editor = {Malwarebytes},
author = {Joshua Cannell},
title = {ZeroAccess anti-debug uses debugger},
date = {25},
month = Jul,
year = {2013},
howpublished = {\url{http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/}},
}