Rootkit research paper

ZeroAccess has become an increasingly popular payload to the various Exploit Packs currently on the market, in particular Blackhole . An exploit pack typically comes as a series of php scripts that are stored on a web server under the control of the attacker. When a victim’s browser accesses the loaded website the server backend will attempt to exploit a vulnerability on the target machine and execute the payload. Exploit packs usually contain a great many different exploits targeting applications commonly found on Windows PCs such as Internet Explorer, Acrobat, Flash and Java.

Thanks to Vipin & Nitin Kumar for providing me their privilege escalation attack (source code together with some more detailed information). I rewrote a driver in C that does that job - overwriting the security token of with the one of . It waits until the image "" is loaded and escalates the rights of the process. An attacker can use this in the real world for example as root shell on a target system (with physical access). Take a look at the kernel debug output generated from the driver:

Rootkit research paper

rootkit research paper

Media:

rootkit research paperrootkit research paperrootkit research paperrootkit research paper