Virus Warning for Windows OS

FredQuest Logo
Information Technology Services
103 Maytum Hall
The State University of
New York at Fredonia
Fredonia, NY 14063
Ph: (716) 673-4670
We have reports of 5 instances of the ZeroAccess Trojan on campus in the past week.  Students may download Symantec Endpoint Protection without charge from the Download section of Your Connection.
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
INFECTION METHOD 
As this threat is a Trojan, by definition it doesn't actively spread by itself. Therefore, it needs to use other methods to arrive on a compromised computer. Most commonly, Zeroaccess is spread through websites that have been compromised and redirect traffic to a malicious website that then in turn distributes it. These toolkits then attempt to exploit various vulnerabilities to penetrate the computer and infect it with Zeroaccess. 

It has also been observed updating itself through peer-to-peer networks. This allows the creators to continually improve functionality of the threat as well as potentially add new functionality. 

1. PREVENTION AND AVOIDANCE 
The following actions can be taken to avoid or minimize the risk from this threat. 

1.1 User behavior and precautions 
Users can mitigate the risk of infection by being careful about clicking links found on websites, such as blogs and forums where there is potentially little control or quality checks on the content. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online Web site rating services, such as safeweb.norton.com, to see if the site is deemed safe to visit. 

When performing searches in search engines, treat any results returned with caution and double-check them before following the links. If pop-up advertisements are displayed, do not click on them or follow any links within them. 

Users should be wary of any sites or services offering free downloads of copyrighted content, such as music, videos, or cracked software. These are often booby-trapped with malicious software and are a known method by way of which this threat can spread. Promiscuous file-sharing may also increase the risk of compromise. 

1.2 Patch operating system and software 
Users are advised to ensure that their operating systems and any installed software are fully patched, and antivirus and firewall software are up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available. 

FUNCTIONALITY 
The primary motivation of this threat is to make money through pay per click advertising and bitcoin mining. It does this by downloading additional software that conducts Web searches and clicks on the results or mines bitcoins. It attempts to stay hidden and undetected for as long as possible to maximize revenue generation opportunity. It does this by employing advanced rootkit techniques that hide not only the threat itself, but also any other threats that Zeroaccess may download and install. 

Furthermore, it opens a back door and connects to a command and control (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer, and the computer may then become part of a wider botnet. 

Additional information may be found at the following site:
http://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99&tabid=2

Page modified 8/4/14