{ "id": "eed0dff9-0958-4f5e-8838-3f9398bfed09", "created_at": "2026-04-06T00:19:19.744873Z", "updated_at": "2026-04-10T03:21:32.416653Z", "deleted_at": null, "sha1_hash": "7c1b868295c872bc3cf3eaebcdd8d3bc0d427c81", "title": "Sophos Discovers ZeroAccess Using RLO | Malwarebytes Labs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 105222, "plain_text": "Sophos Discovers ZeroAccess Using RLO | Malwarebytes Labs\r\nBy Joshua Cannell\r\nPublished: 2013-07-31 · Archived: 2026-04-05 12:46:41 UTC\r\nYesterday, analysts at SophosLabs looked at a new ZeroAccess variant using some new tricks to hide itself.\r\nOr should I say old ones, which are seemingly rediscovered.\r\nIn his article, Sophos researcher James Wyke describes how ZeroAccess typically stores it’s local data, but in this\r\nvariant explains that “the malware authors are also using the right-to-left override and several other non-printable\r\nUnicode characters in both file paths and registry entries to further hinder identification and removal of the\r\nZeroAccess components.”\r\nIf you recall, ZeroAccess is a notorious rootkit that made it’s first debut in 2011 and has since produced many\r\nversions. I recently wrote about a self-debugging technique I found when unpacking a ZeroAccess sample.\r\nOn the other hand, RLO is a simple trick used by malware to obfuscate text strings, usually for the purpose of\r\nmasking file extensions. Fellow Unpacked author Jean-Taggart wrote a blog about this here.\r\nWe’ve been seeing a resurgence of the RLO trick as of late in malware samples, namely a signed piece of Mac\r\nmalware named ‘Janicab‘ which was documented by F-secure. While this technique is far from new, it might be\r\njust enough to fool the average user or junior malware analyst.\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/\r\nPage 1 of 3\n\nImage: F-Secure\r\nIn the ZeroAccess sample discovered by Sophos, the malware obfuscated the registry key value for the malware’s\r\nservice, called ‘gupdate’. Implementation of RLO does not make the service binary ‘GoogleUpdate.exe’ initially\r\nappear to be an EXE.\r\nImage: NakedSecurity\r\nIs RLO making a comeback? It certainly seems like it.\r\nMalware authors sometimes get lazy and recycle the same old tricks to hide their dirty deeds. Nevertheless, the\r\nmethod used doesn’t always need to be complex if it gets the job done.\r\nOther simple forms of rudimentary obfuscation that’s used a lot in malware is ROT13 and base64 encoding, both\r\nof which I talked about here.\r\nFor the full article from Sophos, click here.\r\n_______________________________________________________________________________\r\nJoshua Cannell is a Malware Intelligence Analyst at Malwarebytes where he performs research and in-depth\r\nanalysis on current malware threats. He has over 5 years of experience working with US defense intelligence\r\nagencies where he analyzed malware and developed defense strategies through reverse engineering techniques.\r\nHis articles on the Unpacked blog feature the latest news in malware as well as full-length technical analysis. \r\nFollow him on Twitter @joshcannell\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/\r\nPage 2 of 3\n\nAbout the author\r\nGathers threat intelligence and reverse engineers malware like a boss.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/\r\nhttps://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/" ], "report_names": [ "sophos-discovers-zeroaccess-using-rlo" ], "threat_actors": [], "ts_created_at": 1775434759, "ts_updated_at": 1775791292, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7c1b868295c872bc3cf3eaebcdd8d3bc0d427c81.pdf", "text": "https://archive.orkl.eu/7c1b868295c872bc3cf3eaebcdd8d3bc0d427c81.txt", "img": "https://archive.orkl.eu/7c1b868295c872bc3cf3eaebcdd8d3bc0d427c81.jpg" } }