Thursday, March 24, 2016

ZeroAccess Rootkit

A ZeroAccess Rootkit is a malware which infects a computer silently and turns the system into a Bot to exploit it for malicious purposes. It can corrupt devices like TV, Printers, Mobiles, Tablet etc and is considered to be a high security risk.

ZeroAccess Rootkit was first found in 2011 and since then, it infected and still infects millions of systems.

How does a ZeroAccess Rootkit infect a computer

A ZeroAccess Rootkit typically infects a system in stages.

The attackers first keep a series of malicious php scripts in a server controlled by the attackers. And, use various techniques to trick an innocent user to visit that website.

Attackers may send the victim an email containing a malicious link of their website and convince the victim to click on the link using social engineering. The attackers may even first compromise some legitimate websites and then redirect the traffic to their malicious website.

On visiting the malicious website, the malicious php scripts exploit security vulnerabilities of the commonly used software present in the victim's machine, for example Internet Explorer, Adobe Flash, Adobe Acrobat, Java etc and start infecting the machine.

Sometimes, the attackers may even hide the malicious scripts along with a legitimate looking software or with a crack and keygen of a software and place them in a torrent file. When the victim tries to install the software, ZeroAccess Rootkit starts infecting the victim's system silently.

After infecting a computer, the ZeroAccess Rootkit starts its installation. It first ascertains whether the infected system is a 32 bit or a 64 bit system and depending on that information the installation scripts start executing.

The malware escalates its privileges in the victim's machine so that it can get administrative privileges of the machine and exploit that for malicious purposes. It even lowers the security of the system by disabling firewalls and a few other services of the system.

Purpose of the ZeroAccess Rootkit

After infecting a system successfilly, the ZeroAccess Rootkit turns the system into a Bot and starts exploiting the computational resources of the system for malicious purposes.

This malware mostly use a ZeroAccess Botnet for the purpose of clickfraud and bitcoin mining. In a clickfraud, the Botnet simulate clicks on website advertisements paid for on a pay per click basis for illegitimate financial gains. And otherwise, the Botnet may use the computational resources of the Botnet for mining bitcoins for the attackers.


ZeroAccess Rootkit affects the MBR or Master Boot Record of the infected computer and so, it may prove to be much difficult to remove the rootkit.

But, there are a number of anti-malware programs available, which can remove the ZeroAccess Rootkit efficiently. One should follow the removal process suggested by the anti-malware program.

And, one can always take a few steps to prevent this malware. Keep your anti-malware program updated. And, update commonly used software with recent security patches. As the malware exploits security vulnerabilities of commonly used software to infect a system, lesser the security vulnerabilities, lesser is the possibility of getting infected by the malware.

So, beware of various security vulnerabilities, so that you can protect your systems in a better way. And, stay safe, stay secured.

No comments:

Post a Comment