ZeroAccess

Toolkit for ZeroAccess/Sirefef v3

ZeroAccess is an advanced malware family (probably most advanced from all of available), whose first appearance was in the middle of 2009. Initially Win32 kernel mode rootkit, transformed then into user mode toolkit. Uses self made p2p engine for communication (main purpose - download files). Based on modular structure. Survived multiple takedown attempts (they were mostly serving marketing purposes of various so-called security companies/corporations). Has multiple generations of various toolkit modules. This project provide you insights into ZeroAccess v3 code and several instruments to work with ZeroAccess v3 files. Mostly for education purposes.

Project Contents

Umikaze - peer list (@ file) decoder

Processes input file as ZeroAccess peer file, type required for correct port assignation. Result is output file with Time and IP+Port pairs as text.

Usage: zadecode peerlist_filename [type 32 or 64, default 32], for example: zadecode s32 32

Shigure - payload decryptor

Processes input as ZeroAccess payload container, attempting to decode it using RC4 and extract Microsoft Cabinet afterthat.

Usage: zadecrypt inputfile [outputfile], for example: zadecrypt 80000000.@ out.bin

Harusame - payload container verificator

Verifies if given file is valid container for ZeroAccess. Requires EA to be set at input file. More information about verification algorithm can be found in source.

Usage: zacheck inputfile [mode 32 or 64, default 32], for example: zacheck 80000000.@ 32

Yuudachi - ZeroAccess p2p network crawler

GUI application that monitors given p2p botnet network and downloads payload from it. Downloaded files contain all required information for further verification by zacheck tool. Dumps collected peers in ZeroAccess format so they can be used as bootstrap next. Use x86-32 version for win32 botnet and x64 for win64. For work required proper bootstrap list and read/write access to current directory.

Murasame - dropper extractor

Extracts actual bot installation dropper from encrypted resource of high level dropper.

Usage: zaextract inputfile [outputfile] hexkey, for example: zaextract highlvlbot.bin lowlvlbot.bin 0x12345678

System Requirements

Does not require administrative privileges. Some tools may require read/write access for the their directories. Modern compatible NT version required, Windows XP not supported. For best appearance allow zamon32/zamon64 in firewall.

Build

Project comes with full source code written in C. In order to build from source you need: Microsoft Visual Studio 2015 U1 and later versions.

Authors

(c) 2016 ZeroAccess Project