The Zero Access threads in Top Threats and Artemis have gone quiet for the moment, but this particular piece of malware hasn't gone away.
None of the posters to those threads has indicated where or how they might have acquired Zero Access, although in at least some cases there appears to be a connection with a Fake AV program going under various names including Open Cloud Security.
Now one of the infection vectors has been identified. Anyone using Yahoo or Bing to search for a place from which to download the latest version of Flash Player would have seen, before any of the search results, one or more "Sponsored Results" - like the example below.
One of those Sponsored Results redirected browsers to a directory on a hijacked site (Arulbrothers dot com, a haulage [trucking] company) which downloaded the rootkit from torreandaluz-dot-com (a site rated Red by WOT, Green by SiteAdvisor).
So that's how these things are done. Be careful what you click on, and DO NOT click on the Sponsored Ads unless you recognise the URL (if in doubt, hover the cursor over it and look for the address at the bottom of the page). They're just so easy to arrange - always first on the page, vaguely familiar names, tailored to popular searches. They must be okay, right, or Google/Bing/Yahoo wouldn't allow them? Wrong. Search-engine companies need the money, and they accept paid-for advertising, few questions asked. If it behaves itself for a couple of days they lose interest, and that's when the switch can be made ... and you end up with a rootkit.
Full story is on Computerworld, here. From that story :
IDG News Service - Searching for Flash Player on Bing and Yahoo can lead to rogue pages distributing a hard-to-remove rootkit, according to security researchers from antivirus vendor GFI Software.
The problem resides with the so-called sponsored results, the advertisements displayed at the top of search results for particular keywords. These look slightly different from the organic results normally returned by Bing's algorithm, but close enough for users to frequently click on them.
In the new attack observed by GFI Software, a sponsored result shown when searching for "Adobe Flash" linked to a page called "Download Flash Player" under the GetAdobeFlash.com domain.
However, according to Alex Eckelberry, vice president and general manager of the security software division at GFI, clicking on the link redirected users to a rogue page that was advertising Flash Player 10 but distributed a dangerous rootkit instead.
"In this case, we're talking Sirefef (ZeroAccess aka Max++), probably the nastiest piece of malware circulating on the 'net right now," said Eckelberry. "Sirefef kills any attempt to remove it, and is nearly impossible to clean (short of booting onto a rescue disk and performing cleanup actions, or reformatting)," he added.
Message was edited by: Hayton on 18/10/11 01:48:50 IST