R136a1The ZeroAccess Developer and His Windows Kernel-Mode Debugger
You might remember ZeroAccess, one of the largest and most advanced P2P botnets that ever existed. It first appeared around 2009 in form of a kernel-mode rootkit focused on click fraud and was later used for bitcoin mining. Later versions appeared without the kernel-mode rootkit. As we found out, the developer of ZeroAccess also created legitimate tools as a freelancer. He also mentioned a self-made Windows kernel-mode debugger in one of his service offerings, but we were unable to find it at that time. I discovered it on Virustotal in 2018, and as of this year, the ZeroAccess developer itself has posted an upgraded version on GitHub. You read correctly: the ZeroAccess developer is still active today, however he most likely does no longer create malware. At least since his last public exposure in 2016, I haven’t come across any new malware samples that use his trademark.
Background
In 2016, we at the kernelmode.info forum tried to find the developer of ZeroAccess. Back then, we discovered a number of benign Windows apps created by the same individual. We found some information about the creator from one of the tools, which was TV streaming software. It turned out that he advertised some of these legitimate tools as references on freelance sites where he sold his skills.
The information showed that the developer was 40 years old, lived in Odessa (Ukraine) and used the name Maksim Samuistov (maksimsamuistov) in Skype. At the time, I shared the information with the CERT-UA team. They were able to confirm that a person with that name does, in fact, live in Odessa. However, I was informed that local LE protected him, thus they were unable to contact him. After we published the information on X and in the kernelmode.info forum, he deleted some of his freelancing offers and disappeared… until a year later.
A Reformed ZeroAccess Developer?
In 2017, new service offerings showed up with his most recent nicknames rbmm and alex short.
Searching for these nicknames, I could find his GitHub, Stackoverflow and OSR accounts which he still uses to this day:
- GitHub: https://github.com/rbmm
- Stackoverflow: https://stackoverflow.com/users/6401656/rbmm?tab=profile
- OSR Online: https://community.osr.com/u/rbmm/summary
In 2019, he also offered his services with the name Alex S. on Upwork which revealed the geo location from where he posted it (L'vivs'ka city council, Ukraine):
Later, he also created accounts on X, LinkedIn, YouTube and contributes to a blog:
- LinkedIn: https://www.linkedin.com/in/alex-short-ba3743121 (deleted)
In his X account, he also states to be involved in the development of Protectimus and StartMenuX.
Windows Kernel-Mode Debugger Z-DbgYDbg
ZeroAccess’s creator likely shared pre-2025 versions of his private Windows kernel-mode debugger with other people. This could be read in some of his posts and it’s likely also the reason these versions have been leaked to Virustotal. Before he released his debugger in 2025 under the name YDbg it was known as Z-Dbg, probably in reference to ZeroAccess:
The creator also gives a description of the debugger’s functionality:
There’s also a video demonstration on his YouTube channel: https://www.youtube.com/watch?v=eZA5_C8pudo
The 2025 release of the debugger named YDbg can be found on his GitHub account: https://github.com/rbmm/asterisk
The previous versions can be downloaded here: Z-Dbg
The Code Signing Certificates - Who is Vertamedia?
Some of the Z-Dbg files are signed and when we take a look at the signer data, we can see some interesting information.
This (unsigned) 64-bit debugger installer from 2018 contains the following embedded files:
| File Name | SHA256 | PE Type | Platform | Compilation Timestamp | Signature | Signer |
|---|---|---|---|---|---|---|
| DbgNew.exe | ab7eb831fb018e1f7ef62091fb5e7e94afa1a883613dfd735ee79f54d055b5c5 | EXE | 64-bit | 2018-03-26 13:43:58 UTC | - | - |
| GetPdb.exe | a62670727e49377cbd70ab62bf1856f4f96499188dad116eae4936a7dbebe005 | EXE | 64-bit | 2018-02-19 12:42:23 UTC | - | - |
| lgSessions.exe | e3faa45908a04fb5cdf4d4f6b860fd8c9ac487fc5f874ab37d0d79c15a370a78 | EXE | 32-bit | 2018-03-28 20:07:13 UTC | - | - |
| ListProtected.exe | da5f004f82b4cc15a6c5bae2d74d62cfac2f6d53128129a8c9606c41c2cff49d | EXE | 32-bit | 2017-11-15 10:38:16 UTC | - | - |
| MemDump.exe | 04ad75c1e869f509851a628dac577678749e2c7058a2f1702ed781e753a9d06d | EXE | 64-bit | 2018-04-15 15:44:35 UTC | - | - |
| Modules.exe | 9d56f4640afd9786202137e140508cab7ebc7cbbd1caf7403afb9cf1e50000bc | EXE | 64-bit | 2017-10-10 17:50:55 UTC | - | - |
| msdis170.dll | 8fa7d7a2339b6e72f592f4da719eee499f2ed3f1eb2ddde7558c9e1238e0f809 | DLL | 64-bit | 2009-11-30 22:45:35 UTC | Valid | Microsoft Corporation |
| NtRegView.exe | ef66fcd070f36652c2f5d2813dde57678a6c542280a52fdf343afff3d6d31575 | EXE | 64-bit | 2018-02-28 17:35:02 UTC | - | - |
| PdbUtils.exe | 285e0ae748125a3f7ce0fc3915d1dac90c2a3095d1690c61823c19773fadb41b | EXE | 64-bit | 2017-10-07 10:25:14 UTC | - | - |
| run as pro.exe | 0d1bec99333b8f92962e0768d3a281598117cfc1f99d5bad1be37ebaf1e95127 | EXE | 64-bit | 2017-11-15 12:29:35 UTC | - | - |
| SearchEx.exe | d02040fec884d7747e7a78d7822fb06e9255164ac8e11ef2251b0665279a4ffd | EXE | 64-bit | 2018-01-17 09:52:41 UTC | - | - |
| tkn.dll | f8be332e8b6ee09684d55319154c3e951d5daf8e22fcf0908d0ff6d135f4feca | DLL | 64-bit | 2016-09-01 15:29:06 UTC | Self-signed | 45cae3b9 |
| UnInst.dll | 301fd7692eafe3fbf5788c40f4f95e769f6d0c2078a6721d71b4a949f3558416 | DLL | 64-bit | 2018-01-18 10:59:41 UTC | - | - |
| winobj.exe | 69a6ab6caf8ed3a8cdf05a678994fe651bbc926a42a22efe2b13ccf5fd832b6e | EXE | 32-bit | 2018-03-26 13:55:13 UTC | - |
In this installer, the debugger’s kernel-mode library named tkn.dll is self-signed with the signer 45cae3b9 and can therefore be only loaded if test-signed code is enabled during system boot. Aside from discovering a legit game of tic tac toe that he created, not much can be deduced from the signer’s name.
Let’s take a look at the files from a signed 32-bit debugger installer from 2015:
| File Name | SHA256 | PE Type | Platform | Compilation Timestamp | Signature | Signer |
|---|---|---|---|---|---|---|
| DbgNew.exe | fa81ef35b2ef360a8ea3bcad508363b3ff88c241c4190813403419e64b5ddce3 | EXE | 32-bit | 2015-10-16 18:41:28 UTC | Self-signed | max black |
| dllList.exe | d377f9cf63a38e0e76bf77db0b578158e89f3685e862d66c5fd3371bb269e9a7 | EXE | 32-bit | 2015-08-15 19:15:56 UTC | Self-signed | max black |
| GetPdb.exe | bce355e35077e6d3787062df2b5601f18726c6f34b42accf412f0d0e8a2fc212 | EXE | 32-bit | 2015-07-28 08:42:44 UTC | Self-signed | max black |
| lgSessions.exe | cd9685b3b2700d2140e51a62fe94f518aa7f94170e3ca529ac043b40ea86acc6 | EXE | 32-bit | 2015-07-24 18:57:46 UTC | Self-signed | max black |
| ListProtected.exe | cf08fb0c6fee8b6ee43676a68697aea4e968a4ed403eb21600f7fbd6f3b4cd54 | EXE | 32-bit | 2015-08-10 12:36:58 UTC | Self-signed | max black |
| MemDump.exe | 49dda01e845877c07004f74316d40a2659c24daf06e751478bb4cd073db673af | EXE | 32-bit | 2015-08-15 17:04:08 UTC | Self-signed | max black |
| msdia80.dll | 76ae5b476597eebb2e70e871f2d9a556caf3a383abb91034b2d1f194c2aea08c | DLL | 32-bit | 2005-09-23 09:52:57 UTC | - | - |
| msdis170.dll | eccc1fe7290ce4e65fb327013d8b7a9a0689503f77a3c9d5f4d590f03e5076a2 | DLL | 32-bit | 2010-03-18 12:10:19 UTC | Valid | Microsoft Corporation |
| PdbUtils.exe | 3895ef60b3979bc55e71562283d350c101c26226d2428b35cf58d115e782f5d4 | EXE | 32-bit | 2015-08-26 10:54:23 UTC | Self-signed | max black |
| reparse.exe | c188ec7e2fdabae62f03433fea84503be7413616167eb021b4f5139588b888ac | EXE | 32-bit | 2015-08-29 17:58:05 UTC | Self-signed | max black |
| run as pro.exe | 0a4f3c6bcf807f3d5c007226f1334703a5e6624b0c487fc901b8b9be14883356 | EXE | 32-bit | 2015-08-10 10:49:03 UTC | Self-signed | max black |
| tkn.dll | ed6f2c8b9402cb3fe684cccb4d47b2b244e171128f65f2b641394c3971ae908d | DLL | 32-bit | 2015-08-10 10:33:22 UTC | Valid | Vertamedia, LLC |
| winobj.exe | 6ab1247824d0e75a9a3fd34fd2b67c54900c261a511ba3893d6393e7eeaaac48 | EXE | 32-bit | 2011-05-06 06:23:45 UTC | Self-signed | max black |
As can be seen, most files are self-signed with the signer max black, a handle we already discussed in 2016 (see link in chapter Background). What’s interesting is the valid signed kernel-module DLL with the signer Vertamedia, LLC. VertaMedia (now Adtelligent) is an ad monetarization company that was founded in 2008 in Odessa, Ukraine. The question is how the ZeroAccess creator, which seemed to be also located in Odessa, got a valid code signing certificate from this company to sign his debugger? Was it stolen? Did he work for that company and used it for his debugger? Did he knew somebody at this company who passed him the certificate? The fact that the developer of a click fraud bot uses an ad monetization platform’s certificate to sign his own private tool cannot be a coincidence.
There is another 32-bit debugger installer from 2015 which also contains the same signed kernel driver.
Let us take a look at the newest signed (64-bit) debugger installer (YDbg) from his GitHub account:
| File Name | SHA256 | PE Type | Platform | Compilation Timestamp | Signature | Signer |
|---|---|---|---|---|---|---|
| DbgNew.exe | 34eab4b64a57db265dda623a0734ebfaad89e09ccbb4331ca7cd40a2501603cc | EXE | 64-bit | 2025-09-10 12:26:57 UTC | Valid | DENNISBABKIN.COM, LLC |
| GetPdb.exe | f2848dcaa8ce4bcccfa2a2ee83bbbffa6b22106a65f8f720826b61b91544aaee | EXE | 64-bit | 2023-02-07 01:55:30 UTC | Valid | dennisbabkin.com, LLC |
| MemDump.exe | 8a7868e09d09fb67669a81456a8753e6cf255734efdb6853398dbc276e8b3aae | EXE | 64-bit | 2022-08-12 22:11:57 UTC | Valid | dennisbabkin.com, LLC |
| NtRegView.exe | 3645c1707b6e7036d229aa7648242fe73d2423e5ee3b24840a8bb2b23759a66e | EXE | 64-bit | 2022-11-03 11:13:07 UTC | Valid | dennisbabkin.com, LLC |
| PdbUtils.exe | ad610954ab6aa27802e1c14d17d11c9e755a39d1e87d57d56988ed44fea78ef9 | EXE | 64-bit | 2022-12-07 03:09:10 UTC | Valid | dennisbabkin.com, LLC |
| Processes.exe | 6c7e7a1c8eaad533f4c3b056565c55a3b300e660142df8b13790e05e46ea5f7b | EXE | 64-bit | 2024-06-02 06:34:16 UTC | Valid | dennisbabkin.com, LLC |
| run as pro.exe | e42ed55a33ffe62bfbae3325523edbcc3b32d7d228f56797a0619562bde3cacf | EXE | 64-bit | 2024-02-24 23:19:24 UTC | Valid | dennisbabkin.com, LLC |
| SearchEx.exe | 811802cb56c81b355b8c619d9e43278540bcfc584ede1095c55faab33978ba05 | EXE | 64-bit | 2021-06-15 00:39:28 UTC | Valid | dennisbabkin.com, LLC |
| SetProCrit.exe | ee316057df89da1b073d7daa038eb359233aedecfd8d594171fa12ce1fe7cf78 | EXE | 64-bit | 2022-08-10 16:33:34 UTC | Valid | dennisbabkin.com, LLC |
| srvs.exe | 697e9dbc98cffd3ceb8c080cc9db85198e704a40dd77c4f0c6aad6d38021418b | EXE | 64-bit | 2025-02-11 17:46:26 UTC | Valid | dennisbabkin.com, LLC |
| StartDbg.exe | 643886b8d7246a4e48520ea97d4d7ff9ac0505b04bb661490ce527621e67c5d1 | EXE | 64-bit | 2022-06-18 12:34:28 UTC | Valid | dennisbabkin.com, LLC |
| tkn.dll | 7b9ed3c76ae8c436504f73024ee723ed4ee9f7ece16e2a424cee0d559c70f542 | DLL | 64-bit | 2022-11-05 13:42:16 UTC | Valid | Microsoft Windows Hardware Compatibility Publisher |
| tvi.exe | 1764400cd10a69bcfd34b92673b463cee0ce83b4d27d38498a6afe2d0a4b920c | EXE | 64-bit | 2023-01-02 10:51:37 UTC | Valid | dennisbabkin.com, LLC |
| UnInst.dll | 82be99d169e78e4a0bd73231c845266af147db528f5a58106949a56f6c964311 | DLL | 64-bit | 2022-11-27 01:05:45 UTC | Valid | dennisbabkin.com, LLC |
| winobj.exe | 2e3670c1c7ae810ee28f7213f35ecdcb8686a81716edafc1822ebcef10d9d343 | EXE | 64-bit | 2022-11-03 11:10:18 UTC | Valid | dennisbabkin.com, LLC |
We can see that all files including the installer itself are signed with valid certificates of the signer dennisbabkin.com, LLC or DENNISBABKIN.COM, LLC (see blog link in chapter A Reformed ZeroAccess Developer?). Like the developer of ZeroAccess, this individual appears to be a very skilled (Windows) developer, but I’m not sure and would like to hypothesize as to how they are related. The kernel-mode library tkn.dll is signed by Microsoft Windows Hardware Compatibility Publisher, a program by Microsoft to make drivers more reliable, secure and fully compatible with Windows operating systems.
Conclusion
After being exposed in 2016, it appears that the ZeroAccess developer shifted from writing malware to writing legitimate software. It seems he has successfully reinvented himself, using his technical skill only for legitimate purposes rather than writing malware. Some of his work is quite outstanding, such as his kernel-mode debugger. However, he does not provide any personal information on any of his accounts, and for good reason. I am aware that at least US law enforcement attempted to prosecute him in 2018, albeit obviously without success.
Unfortunately for him, during the ZeroAccess era there were no such things as offensive security, red teaming or APT simulation.