ZeroAccess’s trick – A wolf in sheep’s clothing.
In previous article, my colleague talked about a new way to inject virus codes into other normal processes in order to bypass firewall’s detection. During the continuous research of ZeroAccess, we find there’re some improvements for this series of anti-detection and anti-debug methods. And what’s most interesting is ZeroAccess seems to really like lsass.exe. It often wears lsass’s clothing.
In this case, the variation of ZeroAccess did not use ZwMapViewOfSetion to inject into explorer.exe. It just used normal ZwAllocateVirtualMemory and ZwWriteVirtualMemory to fill in explorer.exe’s memory with virus codes.
After entered explorer’s virus code space, it will first calls RtlAddVectoredExceptionHandler to install an exception handler.
