Wednesday, 10 July 2013

Zero Access [Terminate Services]


2EFE003B8969FA946F194333152F334C (Original Binary)
9645CD309A01211C8DB323EBFCC44C6B (Unpacked Binary)


Persistence mechanisms refer to any functionality that help the malware continue to operate in it's environment. These include the termination of anti-virus,anti-malware or any process/service that hinders it's operations.

Using DeleteService API to Terminate Services
The following subroutine is part of the function that deletes services (renamed to Mod_Svcs_DeleteSvc). Prior to this function call, the malware will attempt to open a particular service, set the source index (ESI) to it's service handle and call the Mod_Svcs_DeleteSvc function.

The calling function of Mod_Svcs_DeleteSvc iterates through a fixed set of specific services to delete.

Zero Access will attempt to delete the following services:

MsMpSvc - Microsoft Protection Service
Windefend - Windows Defender Service
SharedAccess - Internet Connection Sharing (ICS) Service (affects Windows Firewall)
iphlpsvc - IP Helper Service
wscsvc - Windows Security Center Service
mpssvc - Windows Firewall Service
bfe - Base Filtering Engine Service (required for ESET NOD32 Antivirus & Zonealarm v9.2.X)

No comments:

Post a Comment