In this frequently asked questions post, I will publish some of the questions people ask me, and then will post some answers from my expertise about Sirefef or ZeroAccess.
Q: How to protect from this atrocity?
Q: Are Sirefef and ZeroAccess the same thing?
A: YES! They are both the same, but names different by many antivirus companies. This is sometimes due to language translations and competitiveness.
Q: Can the ZeroAccess virus infect my flash drive?
A: I doubt that the virus could activate on the flash drive, unless you plugged it in while logged on to the infected Windows. If you’re worried about running something accidental on the flash drive, use USB Immunizer from BitDefender to disinfect it.
Q: Should my passwords be changed after the ZeroAccess infection? Is it only active ones to change?
All active passwords and even passive ones need to be changed. If you’re unsure about passive ones, then don’t set a new password based on old passwords. Go all fresh with new passwords. See more on passwords.
Q: What is Sirefef, how did it infect my computer, or when are new variants released?
Sirefef or ZeroAccess is a transitional rootkit, virus, and/or backdoor trojan. It is still being watched and studied constantly, having 2-3 new variants every two weeks. We stay abreast of all changes.
Q: How did Sirefef infect me?
Viruses or other malware get embedded in to webpages through iFrame exploits commonly, or through vulnerable plugin exploitation. For iFrame exploits, malware authors can create a small (1x1px) iFrame, which contains scripts necessary to run malware on a target machine by automatically downloading and installing malware. The vulnerable plugin problem happens when people fail to update Adobe Reader, Adobe Flash Player, Java Runtime Environment, Apple QuickTime, Mozilla Firefox, etc. Many times, malware authors use these vulnerable versions of the plugins to distribute an exploit, which can allow them to take control of a computer.
Other malware can be distributed by means of operating system and program bugs. Sometimes programs and very often, Windows, becomes vulnerable to attacks, because of certain bugs in the code.
Those whom do not have proper Internet security protection will fall victim to exploits.
Many people are being hit with Sirefef because of these exploits. I’d say 3/4 of people I’ve seen here on the forums have out-of-date plugins, inevitably leading to infection. Sirefef is one of the most prevalent and highly engaged malware coded problems in the past year.
It is highly recommended to have proper Internet security protection! We recommend you to read that post and pick out a premium antivirus program for your computer RIGHT AWAY!
By Jay Pfoutz
Apparently, the new showy security threat is Rakshasa… At Black Hat Las Vegas, this new security technique was unveiled.
This new malware by researcher Jonathan Brossard is apparently ‘impossible to disinfect’.
Now, FIRST OF ALL!! – Anything created with man’s hands can be destroyed. I’d like to see this opinion last: undetectable, can’t be disinfected, etc.
The paper on Rakshasa can be found here. It describes a hardware backdoor. Unbeknownst to this artist researcher, companies like Kaspersky or ESET have already begun to craft hardware antivirus drivers. So, this backdoor hardware malware scheme is a bit late, but maybe just in time, too.
Will it be used? Who knows. That’s the scary part!
It is realistically a BIOSkit, a rootkit that infects the BIOS of the computer. What’s wrong with this…? It can be easily disinfected by flashing all of the devices of the computer, which apparently would be infected.
However, this malware has not been tested in an enterprise-based beta, which means just because it worked on a couple of machines does not mean it would work on any other computer. Impressive? Yes! But, not at all scary, yet.
What makes me more shocked, is that people will actually believe that this malware will not be able to be disinfected. But, this is the turnaround: it can be! This is nothing more than a BIOSkit, and we have seen BIOSkits removed in our leagues many times.
But, then again, people commonly believe rootkits are impossible to be removed too. Look…we proved them wrong!
By inflicting code signing for BIOS, just like all other hardware driver signing, can easily keep it blocked. Also, if BitLocker evolves in Windows 8 and further technologies, it could easily secure the OS. Also, things like device encryption, could be taken to a new level.
This is not a new vulnerability, and Brossard agrees.