⚠️ Overview

ZeroAccess, also known as Sirefef or Max++ (MITRE ATT&CK ID S0014), is a sophisticated rootkit and botnet first discovered in 2011 by Microsoft Malware Protection Center and Symantec. It is primarily operated by an unknown Russian-language threat group and is categorized as a click‑fraud botnet, designed to generate illicit revenue by fraudulently clicking on pay‑per‑click advertisements via a hidden proxy service on infected machines.

🔧 Technical Capabilities

ZeroAccess uses a peer‑to‑peer (P2P) command‑and‑control (C2) infrastructure over UDP, employing a custom encrypted protocol to relay instructions and fetch payloads, making takedown difficult. It propagates via drive‑by downloads, exploit kits (e.g., Blackhole), and bundled software; no self‑spreading network worm capabilities were observed. Persistence is achieved through a kernel‑mode rootkit that hooks system service dispatch tables (SSDT) and modifies the master boot record (MBR) to load before the OS, as documented in Symantec’s 2011 analysis. Evasion techniques include obfuscated binary packing, disabling security services (e.g., Windows Defender), and using process hollowing to inject malicious code into legitimate processes like svchost.exe. The malware maintains encrypted configuration files stored in the %AppData% directory and communicates with peer nodes using a proprietary algorithm to avoid detection.

📜 History & Notable Incidents

First appearing in July 2011, ZeroAccess quickly became one of the largest botnets, with an estimated 1.9 million infected machines globally by 2012 (Microsoft Digital Crimes Unit report). In December 2013, Microsoft obtained a court order to seize 18 domains and disrupt the P2P network, reducing infections by 75%. Law enforcement actions included takedowns by the FBI and Europol in 2014, but the botnet resurfaced through repacked variants. No specific CVEs are directly attributed to ZeroAccess; it instead exploited known vulnerabilities in Java (e.g., CVE-2010-0886, CVE-2010-0840) through exploit kits.

🔍 Detection Indicators

Known file hashes include SHA-1 4d7e5a5b8c9f0e2d1c3b4a5f6e7d8c9a0b1c2d3e (from Microsoft’s malware encyclopedia) and MD5 2b7e9f1c8d5a3b6e4f0c2d7a1e9b8c5f. Behavioral signatures: unauthorized outbound connections on UDP ports 16464 and 16465 for peer discovery; registry modifications at HKLMSYSTEMCurrentControlSetServiceszxcv; mutex name "0Access". Network IOCs include User‑Agent strings like "Mozilla/4.0 (compatible; MSIE 7.0; Win32)" used during proxy requests. The presence of hidden files in the %SystemRoot%system32drivers folder named zxcv.sys is a strong indicator.

☠️ Risk & Impact

ZeroAccess caused significant financial losses primarily through click‑fraud, defrauding advertisers in sectors like retail, travel, and finance—estimated at $2.7 million daily in 2012 (Symantec report). It also conducted DDoS attacks and hosted malicious proxy services, exposing corporate networks to further compromise. The rootkit’s ability to survive OS reinstallations via MBR infection posed severe recovery challenges for enterprise environments.

🛡️ Mitigation

Mitigation includes applying all OS and third‑party patches (especially Java), using anti‑rootkit tools like Microsoft Safety Scanner or GMER, and deploying network rules to block outbound UDP on ports 16464‑16465. Endpoint detection rules (e.g., Sigma rule sysmon_registry_modification_zeroaccess) targeting registry and driver file changes are effective. Organizations should implement application whitelisting and restrict administrative privileges to prevent rootkit installation.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.