ZeroAccess rootkit Redux

I came across a few samples today that gave CIS problems.

Test setup- CIS 6.1.275152.2801 Def ver 16070

Setting change from stock: Proactive Security; Behavior Blocker- Untrusted; Hips- Either Untrusted or Paranoid(test was run under both settings).

3 Rootkit samples were run. New samples, so no AV defs at this time. Application isolated alert was seen in all cases. All 3 samples led to infection.

Mods please PM for samples if interested.

  1. File rating can only collect executables with certain extensions shown in Protected Objects.

  2. By default, comodo does not put it to the Unrecognized Files.

  3. Maybe this one is a bug.

  4. It does not harm the PC, because the malware can not create any autorun entry under the restriction of BB.

  5. There are two solutions for this one, the user can do one of them.
    (1) enable the “Clean PC Mode” (HIPS enabled)

(2) add the following line to the “Protected Files”

[attachment deleted by admin]

Could you send me the samples

“4. It does not harm the PC, because the malware can not create any autorun entry under the restriction of BB”

Don’t sound like an infection to me.

Taking up residence invisibly in the recycle bin is a very common approach for Password Stealers/Backdoors/Botnets/Rootkits. As far as no autorun entry being present, I really don’t know what you mean as this particular malware will stay lodged in the bin on every reboot, so indeed it does start with Windows. Also, as you have noted yourself in the CAMAS report, files were compromised, registry keys created.
The only way to detect and clean the infection proper is with a second opinion scanner, and this will only clear the malware itself, but not reverse changes made.

But to Comodo’s credit, all 3 samples I provided were detected either by the cloud or in the def set within 12 hours of submission.

With the upcoming versions of CIS be prepared to see full BB + virus reverser
“If you install an app and later find its malware CIS will be able to reverse all the actions made by the malware. Im thinking this combined with the BB will be extremely powerful. It will fix the problem with dropped files when a piece of malware runs as partially limited”.

:o That sound so beautiful. Can wait the next version then. You change all my doubts about comodo with these. Thank you for this man.

I don’t know anything about the above but I would recommend against assuming that it will be in THE next version, spywar says "upcoming versions and “be prepared” so while it seems it’ll come eventually, it doesn’t sound like the very next version. Just to avoid any disappointments if the next version comes without these features.

Yep thx for that, any way I’ll wait the version, to return to my old friend :P0l

Next version of CIS will adress some user’s feedbacks regarding GUI.

WOW… Can’t wait… 8)

One more Q what OS was used? Which environment?

Windows 7 32 bit was used. The reason of the 32bit use was that yesterday when we ran our tests there was a number of 32 bit specific malware available.

Also, changing CIS settings to Safe mode and the inclusion of the C:/? in Protected files will obviously have no effect.

CIS is a superb product already and the fact that they were within hours of after first detection in providing definitions for these malware samples to my mind totally puts to rest the misconception that the AV is not strong. To expand on this, these samples were part of a malware package we collected- it totaled 1150 unique samples from zero day to D+3. CIS detected all but 65 via Cloud/AV. Sixty-two were rendered harmless by D+, leaving only these 3 not stopped. I would consider this ratio nothing short of superb.

But we should all try to attain perfection, thus my bringing this up.

I see. Thanks for more detailed info. :slight_smile: :-TU

Okay this sounds pretty much like how webroot secure anywhere works.
It has a journalling system.

If a trojan infiltrates your system and steals info then reversing it really is of no use.
Why on earth would i do this when all i need to do is restore an image in 15mins.

Its not an option i would like to see in comodo.

Lots of users don’t use imaging software. :

That’s right, and I hope to contain also some bug fixes that exist in current version :-TU

Okay well that is a problem in itself. :slight_smile:

stealing infos = transmit infos outside to someone = outbound connections = blocked by a properly set Firewall.

unless you run your system without any firewall…

iv been testing CIS in default settings against this zeroaccess. CIS successfully blocked the rootkit. It was able to drop some files in the recycle bin but the rootkit never runs in memory and isnt allowed to create a registry key to run at boot so the files are sitting there harmless.