During the last weeks of July, we received reports from customers that their services.exe files were being patched by an unknown malware. The patched services.exe, detected by Trend Micro as PTCH_ZACCESS (for 32-bit version) and PTCH64_ZACCESS (for 64-bit version), was verified to be a component of the SIREFEF/ZACCESS malware family. ZACCESS (also known as ZEROACCESS) used this patched system file to run its other malicious components upon reboot. This proved to be a new variant of SIREFEF/ZACCESS, which now uses user-mode technique to stealthily load its malicious code, instead of using regular rootkit techniques.
Investigating these cases further using the Trend MicroT Smart Protection NetworkT, we were able to locate the main malware (BKDR_ZACCESS.SMQQ) responsible for patching services.exe. We also identified all of the components related to its infection routine. We found that the infection started with the execution of K-Lite Codec Pack.exe (downloaded by the user) and resulted to the patching and executing of the patched services.exe.
This malware propagates by bundling the main malware in crack/keygen applications or game installers. It can also disguise itself as a required codec that needs to be installed to play a downloaded movie via peer-to-peer (P2P) applications, which can be found on sites dedicated to keygen apps or in P2P services. Below are some of the names used. Note that these file names contain popular movies:
Downloaded binary via P2P:
- %P2P DL folder%\The_Hunger_Games_2012_DVDRip_XviD_AMV\K-Lite Codec Pack 9.0.exe
- %P2P DL folder%\Alien_1979_DVDRip_XviD_FKG\K-Lite Codec Pack 9.0.exe
- %P2P DL folder%\The_Amazing_Spider-Man_2012_DVDRip_XviD_YKG\K-Lite Codec Pack 9.0.exe
- %P2P DL folder%\John_Carter_2012_DVDRip_XviD_IIN\K-Lite Codec Pack 9.0.exe
- %P2P DL folder%\The_Dark_Knight_Rises_2012_DVDRip_XviD_QEV\K-Lite Codec Pack 9.0.exe
%P2P DL folder%\ refers to the P2P folder where the file is being saved after downloading it.
Downloaded binary via direct download:
Binary Planting Technique
Once installed, the main ZACCESS dropper (detected as BKDR_ZACCESS.KP) checks the current user privileges. If the user is an administrator, the malware continues its installation routine. But if the user is a non-administrator user, the malware elevates its privileges to proceed with malware installation. The malware drops and executes BKDR_ZACCESS.SMQQ, which causes a User Account Control (UAC) notification to appear onscreen.
When it appears, users may possibly not allow the file to execute, thinking that the file is suspicious, halting the ZACCESS installation. To bypass this, ZACCESS forces the UAC dialog box to pop up by executing a non-malicious Adobe Flash installer (InstallerFlashPlayer.exe).
To do this, ZACCESS drops InstallerFlashPlayer.exe and the malicious file msimg32.dll (BKDR_ZACCESS.SMQQ) in the user temporary folder. This technique is known as binary planting, a form of DLL Search Order abuse, that ensures the loading of the ZACCESS malicious code into the InstallerFlashPlayer process address when it is executed. By default, when InstallerFlashPlayer.exe is executed, Windows looks for the msimg32.dll in the current folder before searching the Windows system folder. Because BKDR_ZACCESS.KP dropped the malicious msimg32.dll into the current directory, Windows loads the malicious code instead of the original one.
Our research noted a sudden increase in ZACCESS/SIREFEF infections in July 2012. Based on the data we gathered from the Smart Protection NetworkT, below is a chart representing the number of affected machines by this new ZACCESS variant:
Among countries affected, the United States had the most number of infections compared to other countries such as Japan, Australia and the United Kingdom.
Leave a reply