Monday, March 18, 2013

Checking ZeroAccess with Python and Scapy

I see that there is still a lot of ZeroAccess infections from EK's around.
One should think that these bad guys should be somewhat satisfied with well over a million bots.
But not these guys, no they have to be the biggest and I guess they need to sustain their illegal income!

Check here for more info on ZeroAccess and network behaviour

Well enough ranting about the biggest botnet on the face of the earth.
Lets make our litte Python script,
with the help of the excellent tool Scapy we will make a script that can check if a remote host is infected with ZeroAccess.

Note the requirements: root access(we need promisc on the interface), scapy installed and python 2.7.3 of course.

run it with the remote ip as argument and it will shout the country where penguins come from back at you, BURMA, if the host is infected.

ZeroAccesed python script

# @malforsec python script to check ZeroAccess infected hosts
# requires scapy
# requires root privs
# usage: python <dest_ip>
# Why BURMA -> because penguins comes from Burma
from scapy.all import *

def main():
  dest_ip = sys.argv[1]
  ## alter port if you want a differnet source port
  src_port = 16464
  dst_port = 16464
  payload = '\xb8\x14\x35\xfe\x28\x94\x8d\xab\xc9\xc0\xd1\x99\x85\x95\x6f\x3f'

  pkt = sr1(IP(dst=dest_ip)/UDP(dport=dst_port, sport=src_port)/payload, timeout=10)
  ## if we get an anwer and it is not icmp(eg port unreachable)
  if pkt and pkt.proto != 1:
    if pkt.load.encode("hex")[8:16] == "28948dbe":
      print "\nBURMA!! : The host is ZerorAaccessed\n"
    print "Could not get ZeroAcess answer from host: ", dest_ip

if __name__ == "__main__":

Donload here:

Please note that firewalls, routers and alike devices can block the traffic between you and the remote host. So use with intelligence :)

Should be OK to test internal networks. Even thoug it is slow. Set timeout wisely.

Test run

/tmp/zeroaccess$ sudo python xxx.yy.70.244
[sudo] password for malforsec: 
WARNING: No route found for IPv6 destination :: (no default route?)
Begin emission:
......Finished to send 1 packets.
Received 20 packets, got 1 answers, remaining 0 packets

BURMA!! : The host is ZerorAaccessed

Yupp that worked

If you find an infected host. Don't panic. It's not like something exploded, just another regular day.
Whatch this first youtube

Then disconnect the host and do a complete reinstall. I would not recommend trying to clean the mess up.

Happy ZeroAccess hunting


  1. Er..why don't I just do something like an nmap udp scan with some timeout options, for 16464/udp, 16465/udp, 16470/udp and 16471/udp. I see no need for a python script, but would happily be corrected if I missed somthing.

    1. Hi,

      nice of you to stop by and comment.

      I actually had not tried to do an nmap scan of a zeroaccessed host because I would not expect it to answer without a proper request. So a great question. Without being a nmap zen master; I have just checked, and as expected: NO you can not just nmap scan for ZA. I guess it is possible, but you have to configure nmap to send proper getL requests. Which for me is harder than making a python script. And as I need to learn more Python I figuered why not make a Python script to check for ZA.

      If you find it diffrently, please let me know.