Trojan.ZeroAccess infection analysis
(Publication) Google search: [1]
| Trojan.ZeroAccess infection analysis | |
|---|---|
| Botnet | ZeroAccess |
| Malware | ZeroAccess (bot) |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2012 / |
| Editor/Conference | Symantec |
| Link | http://www.symantec.com/content/en/us/enterprise/media/security response/whitepapers/trojan zeroaccess infection analysis.pdf (Archive copy) |
| Author | Sean Hittel, Rong Zhou |
| Type | |
Abstract
“ ZeroAccess, also known as “Smiscer” or “Max++ rootkit”, is a malicious Windows threat used to generate revenue primarily through pay-per-click fraud. ZeroAccess uses low-level rootkit functionality to remain persistent and stealth. It arrives through various vectors, including Web exploit kits and social engineering attacks. Although ZeroAccess contains generic back door functionality that could be used for multiple purposes, it has been observed to download fake security software, perform click fraud, and search engine poisoning. In addition to describing ZeroAccess’ revenue generation scheme, this paper outlines examples of ZeroAccess’ infection vectors, as well as its infection logic and back door functionality. Through click fraud, the authors are estimated to earn six-figures annually.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR973,
editor = {Symantec},
author = {Sean Hittel, Rong Zhou},
title = {Trojan.ZeroAccess infection analysis},
date = {02},
month = May,
year = {2012},
howpublished = {\url{http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/trojan_zeroaccess_infection_analysis.pdf}},
}