Rootkit War Zeroaccess Kills TDL3

Cyber Gang have created a new way for getting income, the group is selling TDL3 malware on different underground forum with a modification of source code package that allow infected computer remove the TDL malware.

Malware author have created two different versions one contains the original code and not for sale and another copy that contain a modified package called ZeroAccess rootkit.  According to Webroot analysis Zeroaccess contain a module called Anti-TDL that by executing malicious code will work to remove TDL3.The malware also contain another plugin called clickbot. It registers a class called Z00clicker2 this is an ad-clicker and search engine hijacker.

ZeroAccess strongly resembles TDL3 rootkit in many ways:

  • They implement the same idea of storing their code outside the system’s filesystem,
  • They use RC4 encryption,
  • They choose randomly the driver to be infected,
  • They filter SCSI_REQUEST_BLOCK packets at lower level than disk.sys.

However disk filtering engine implemented by ZeroAccess are not as advanced as the one implemented by TDL3 rootkit, this is the reason why ZeroAccess infection is easier to be detected and removed than the TDL3 rootkit.

Here you can find a video on YouTube made by Webroot on Zeroaccess

  • Aa

    Cool, … “not for sail” –> sale

  • Thanks a lot for the correction… 🙂 Just fixed it

  • Aa