Menu
Can't keep this bad boy down: ZeroAccess botnet back in business

Can't keep this bad boy down: ZeroAccess botnet back in business

After a six-month break the ZeroAccess botnet resumes click-fraud activity

A peer-to-peer botnet called ZeroAccess came out of a six-month hibernation this month after having survived two takedown attempts by law enforcement and security researchers.

At its peak in 2013, ZeroAccess, also known as Sirefef, consisted of more than 1.9 million infected computers that were primarily used for click fraud and Bitcoin mining.

That was until security researchers from Symantec found a flaw in the botnet's resilient peer-to-peer architecture. This architecture allowed the bots to exchange files, instructions and information with each other without the need for central command-and-control servers, which are the Achilles' heel of most botnets.

By exploiting the flaw, Symantec managed to detach over half a million computers from ZeroAccess in July 2013 and launched an effort to clean them up in cooperation with ISPs and CERTs.

In December that same year the FBI, Europol, Microsoft and several security vendors launched a second operation that further crippled the botnet and led to those behind it capitulating. The botnet operators actually sent an update to the infected machines that contained the message "WHITE FLAG."

"We believe [that action] symbolizes that the criminals have decided to surrender control of the botnet," Richard Domingues Boscovich, assistant general counsel with the Microsoft Digital Crimes Unit, said at the time in a blog post.

It didn't last long. Cybercriminals reactivated the botnet and used it between March 21 and July 2, 2014, but then -- silence. Until now.

The botnet was reactivated on January 15, when it "again began distributing click-fraud templates to compromised systems," researchers from Dell SecureWorks said in a blog post Wednesday.

To perpetrate click fraud, malware displays ads on infected computers and clicks on them, masking the clicks as legitimate user actions in order to generate advertising income for the botnet operators.

ZeroAccess is only a shadow of its former self, as the attackers did not attempt to infect new systems since December 2013. However, the new activity this year indicates that they haven't completely given up on it.

The Dell SecureWorks researchers observed 55,208 unique IP addresses participating in the botnet between January 17 and January 25 -- 38,094 corresponding to compromised 32-bit Windows systems and 17,114 to 64-bit systems. The top ten affected countries are Japan, India, Russia, Italy, the U.S., Brazil, Taiwan, Romania, Venezuela and Germany.

"Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size," the SecureWorks researchers said. "Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks."

Subscribe here for up-to-date channel news

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags Dell SecureWorkssymantecMicrosoftsecuritymalwarefraud

Featured

Slideshows

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards

Revealed at a glitzy bash in Sydney at the Ivy Penthouse, the first StorageCraft Partner Awards locally saw the vendor honour its top-performing partners with ASI Solutions, SMBiT Pro, Webroot, ACA Pacific and Soft Solutions New Zealand taking home the top awards. Photos by Maria Stefina.

StorageCraft celebrates high achievers at its inaugural A/NZ Partner Awards
Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip

​Synnex and Lenovo hosted 18 resellers for an action-packed weekend adventure in RotoVegas, taking in white water rafting on the Kaituna River, as well as quad biking and dinner at Stratosfare​, overlooking Lake Rotorua at the top of Mount Ngongotaha​. Photos by Synnex.

Kiwi resellers make a splash on Synnex and Lenovo RotoVegas road trip
Show Comments