ZeroAcces is a Trojan horse who use an advanced rootkit to hide itself and create a back door on the compromised host.

The computers are infected  by "drive-by download" attacks:
  1. People who download and execute suspicious programs (ActiveX, Java applet...) without understanding the consequences.
  2. Downloads that happening without user authorization (malware, browser exploits...).
You can learn how the modern malware works downloading "Modern Malware for Dummies".

ZeroAccess want to make money through pay per click advertising using click fraud which is a very lucrative business.

We don't want to analyze this Trojan. I want to show you how you can detect it with Fortigate Firewalls and Snort over Ossim without Antivirus.

This Trojan used port 16464/udp, but I have also seen traffic on the ports 16465/udp, 16470/udp and 16471/udp. You need to deny and log this traffic to detect it.

First it's necessary to create a Custom service.

Then you need to create a policy rule at the top of your policies.

Finally It's necessary to watch your logs and locate the ID of this policy rule. In the log you will see the infected source IP.

If you are working with Ossim & Snort, you should add the next rules into your policies.

First, go to "Policy & Actions" and click on "Trojan".

Type ZeroAccess and add all of the Snort results.

Finally go to Analysis --> Security Events and search the Signature ZeroAccess.