ZeroAccess Trojan - Network Analysis Part I ~ Hacking while you're asleep

Friday, June 28, 2013

ZeroAccess Trojan - Network Analysis Part I

A few days ago, I talked about How to detect ZeroAccess in your Network Now, I want to show you how this trojan works.

The goal of this trojan is to earn money through Click Fraud... It is a type of crime that abuses pay-per-click advertising to make money through fraudulent or fake clicks on advertisements. ZeroAccess makes money when it generate clicks on Ads. In addition, ZeroAccess has is own botnet. It is ideal for generating a large number of clicks.

I got a sample of this trojan. I uploaded the binary to Virustotal and only 3 antivirus programs detected it as a trojan. If you want a copy, contact me at the botton of this page.

Currently, you can see how many antivirus programs detect the file as malware:
https://www.virustotal.com/es/file/0aae3d7df5c153378596ac03f1796b8800337e14e243529106cfc681005b7ab7/analysis/

I created a virtual machine and I executed this program in a fresh environment.

The first thing ZeroAccess does is connect to http://j.maxmind.com/app/geoip.js in order to locate the infected host in the world.

The second thing the trojan does is connect with some visit counters. It seems the botnet wants to know how many hosts it has infected.

http://www.e-zeeinternet.com/count.php?page=953121&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953130&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953131&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953001&style=LED_g&nbdigits=9
http://www.e-zeeinternet.com/count.php?page=953020&style=LED_g&nbdigits=9

Then, the trojan makes malformated DNS requests... Wireshark detects them as DNS traffic because these packets are sent over port 53 assigned to DNS traffic. Really it isn't DNS traffic, the trojan is establishing connections with the C&C (command and control) servers and the packets are ciphers.

Finally, the trojan begins to generate traffic over port 16464/UDP.

Each time that I restart the virtual machine, ZeroAccess creates a new code to send to other infected hosts over port 16464/UDP.

9e56cb0d28948dabc9c0d199562fcf9e

975dec6d28948dabc9c0d19943b005e1
fcb23c0a28948dabc9c0d19957ffdbcf
a35ecde828948dabc9c0d199d52aaf97

...

...
...

Notice that part of the code is always the same: 28948dabc9c0d19. Maybe it is the the node where my computer is connected.

See the map below, which I've created. In only three hours, the trojan made these connections with other servers or infected hosts over port 16464/UDP
Zeroaccess supernodes part I

ZeroAccess generates some traffic over port 123/UDP. It's the same case than DNS traffic too. It's not a real NTP traffic.