The main symptom of a computer being infected with the ZeroAccess (or Sirefef) malware is that online searches via Google Search often lead to unhelpful pages filled with ads and equally useless links. This generates revenue for the malware’s controllers, but it’s extremely irritating for the affected users.
But the malware’s authors are clever. They know that many people will have no idea that their computers are infected if they keep ZeroAccess’ actions down to a minimum, or if they notice its actions they will take their time to do something about it because they can stand the inconvenience – for a while, at least.
ZeroAccess often gets installed on the users’ computer by the users themselves, who are tricked into believing they are installing a legitimate piece of software such as Adobe’s Flash Player. The thusly delivered downloader downloads the ZeroAccess malware and immediately starts hogging the CPU’s resources.
“Since this is a rootkit, there are no toolbars/extensions/BHO’s added to the browser. There are also no modified proxy settings or modified hosts files. What is interesting about this rootkit sample is that the redirects do not happen every time. The action will occur about once every three attempts.” points out Webroot’s Richard Melick. “The number of redirects caps out around 4-5 and then everything will seem normal until a restart of the browser.
“This erratic action can make it extremely difficult to troubleshoot. It can also prove to be very frustrating for a user to explain as it is not consistent and once the redirection occurs enough times, the issue stops for the rest of the browsing session. We have seen instances where consumers have just been ‘living with it’ for months,” he adds.
Luckily for the users, this type of infection is almost benign when compared with instances of information-stealing and banking malware.
Still, they shouldn’t put up with it because it effectively degrades the quality of their Internet use, generates money for the controllers which, in turn, will motivate them to continue delivering the malware to unsuspecting victims and, finally, the unhelpful search results could ultimately also lead to more destructive malware of phishing pages.