ZeroAccess anti-debug uses debugger

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

ZeroAccess anti-debug uses debugger
Botnet ZeroAccess
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-07-25
Editor/Conference Malwarebytes
Link http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/ (Archive copy)
Author Joshua Cannell
Type Blogpost

Abstract

The technique employs various native Win32 APIs used for debugging a process. By using these APIs, the analyst cannot use their own debugger, since only one debugger can be attached to a process at a time.

To connect to the debugger at the API level, the Trojan uses DbgUIConnectToDbg. This API along with others used to communicate with the Windows Debugger all seem to be undocumented by Microsoft.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1356,
   editor = {Malwarebytes},
   author = {Joshua Cannell},
   title = {ZeroAccess anti-debug uses debugger},
   date = {25},
   month = Jul,
   year = {2013},
   howpublished = {\url{http://blog.malwarebytes.org/intelligence/2013/07/zeroaccess-anti-debug-uses-debugger/}},
 }