Well,...you have a problem of much larger magnitude than most of us have to deal with....
Man oh Man....glad I retired from the Main Frame business....
Guess I have a question ...if an enterprise is running Virtual machines hosting linus apps and windows apps...does that help ...in detection?
Used Google to find this:
ZeroAccess Description
***********************************EXCERPT*********************************************
ZeroAccess is a rootkit that uses advanced techniques to conceal itself and thwart your PC security software. Afterwards, ZeroAccess may also be used to open a backdoor on your system in the fashion of a backdoor Trojan. As is true of other rootkits that SpywareRemove.com malware researchers have analyzed, ZeroAccess has negligible symptoms of its activities, although you may be able to find ZeroAccess by watching for malfunctions in your anti-malware and security programs. ZeroAccess has been updated several times throughout its life and is sufficiently advanced and potentially damaging that only specialized and up-to-date anti-malware programs should be used to delete any ZeroAccess infection on your PC. Refraining from doing so will leave your computer open to attack by criminals and other forms of harmful software, and can cause lose of private information or destruction of files on your PC.
The Hidden ZeroAccess Threat to Your Computer
ZeroAccess is considered a highly-sophisticated kernel mode rootkit due to its use of multiple methods to obscure itself and attack programs that could find or remove ZeroAccess and similar rootkits. Although ZeroAccess isn’t considered quite as advanced as a
TDL3 Rootkit, it remains comparable to such rootkits (including
Rootkit.Boot.Mybios.a,
TDSS.e!rootkit,
TDSS Rootkit and Rootkit.Win32.Agent.bhnc) in terms of potential damage to your PC.
Since SpywareRemove.com malware researchers have found that ZeroAccess, like many other rootkits, prefers to load itself without an independent process that can be seen and shut down, you may not be able to tell when ZeroAccess is active unless its related attacks give off visible signals, such as browser hijacks, system slowdown or visibly-altered network settings.
However, the attack that ZeroAccess is most well-known for is its ability to shut down any program that engages in behavior that ZeroAccess feels would be a threat to ZeroAccess. This includes most forms of standard system scans that are used by anti-malware and security programs. Since ZeroAccess has received multiple updates since its origin in July of 2011, keeping your anti-malware software equally up-to-date is important for removing ZeroAccess.
You may also be able to infer the existence of ZeroAccess by noting the presence of related PC infections, particularly dropper Trojans. These Trojans, such as
Trojan-Downloader.Agent-BFJ,
Trojan-Dropper.Win32.Delf.br,
Trojan-dropper.win32.VB.agtq,
Trojan-Dropper.Win32.HDrop.apo or
Trojan-Downloader.Agent-FCX can install ZeroAccess and may also install spyware, ransomware Trojans, worms or other PC threats.
Why ZeroAccess is a Great Big Zero for Your Computer’s Safety
Well, not really. VMs can add an extra layer of protection via their individual firewalls, anti-malware, etc, but generally if you want the apps to be accessable to the users, connect and store data on the databases, and act like a real service than the VMs are going to need network access like any other machine. And there in lies the danger.
I CAN tell you that machines without a network interface or no way to communicate with the innerwebs are much, much more secure! Of course they’re useless, too...