14 DAY TRIAL // Malware developers are always doing their best to ensure that their creations can get by unnoticed. This is exemplified by a new variant of the ZeroAccess Trojan which is designed to hide its content by exploiting the Extended Attributes (EA) feature of the New Technology File System (NTFS).
Trojan.Zeroaccess.C relies on the ZwSetEaFile command to write its payload into the EA data of the services.exe file located in %System%. Then, it uses the ZwQueryEaFile to retrieve the malicious component and execute it, Symantec reports.
Once it’s altered, the services.exe file cannot be repaired because the new code is written over the original one. Fortunately, Windows Vista and newer versions of Microsoft’s operating system are able to restore the file.
“As with other NTFS features, accessing the EA requires a specialized API and usually malware writers employ these techniques in the hope that antivirus products do not support them. This results in the payload remaining functional for longer periods of time,” Mircea Ciubotariu of Symantec explained.
Trend Micro researchers have also studied this particular version and they’ve found that the infection starts with a file called K-Lite Codec Pack.exe. This most likely means that the cybercriminals behind the campaign are advertising the malware as an application that’s needed to view video content.
ZeroAccess is also bundled with other pieces of malware hidden in cracks and key generators for games.
Throughout July, the Trojan has affected a large number of users, a sudden increase of infections being recorded around July 14. The victims are spread out worldwide, most of them being identified in the United States (11,078), Japan (1,954), Australia (1,417) and the United Kingdom (856).
Traces of the malicious element have also been located in Germany, Canada and France.