Menu
Can't keep this bad boy down: ZeroAccess botnet back in business

Can't keep this bad boy down: ZeroAccess botnet back in business

After a six-month break the ZeroAccess botnet resumes click-fraud activity

A peer-to-peer botnet called ZeroAccess came out of a six-month hibernation this month after having survived two takedown attempts by law enforcement and security researchers.

At its peak in 2013, ZeroAccess, also known as Sirefef, consisted of more than 1.9 million infected computers that were primarily used for click fraud and Bitcoin mining.

That was until security researchers from Symantec found a flaw in the botnet's resilient peer-to-peer architecture. This architecture allowed the bots to exchange files, instructions and information with each other without the need for central command-and-control servers, which are the Achilles' heel of most botnets.

By exploiting the flaw, Symantec managed to detach over half a million computers from ZeroAccess in July 2013 and launched an effort to clean them up in cooperation with ISPs and CERTs.

In December that same year the FBI, Europol, Microsoft and several security vendors launched a second operation that further crippled the botnet and led to those behind it capitulating. The botnet operators actually sent an update to the infected machines that contained the message "WHITE FLAG."

"We believe [that action] symbolizes that the criminals have decided to surrender control of the botnet," Richard Domingues Boscovich, assistant general counsel with the Microsoft Digital Crimes Unit, said at the time in a blog post.

It didn't last long. Cybercriminals reactivated the botnet and used it between March 21 and July 2, 2014, but then -- silence. Until now.

The botnet was reactivated on January 15, when it "again began distributing click-fraud templates to compromised systems," researchers from Dell SecureWorks said in a blog post Wednesday.

To perpetrate click fraud, malware displays ads on infected computers and clicks on them, masking the clicks as legitimate user actions in order to generate advertising income for the botnet operators.

ZeroAccess is only a shadow of its former self, as the attackers did not attempt to infect new systems since December 2013. However, the new activity this year indicates that they haven't completely given up on it.

The Dell SecureWorks researchers observed 55,208 unique IP addresses participating in the botnet between January 17 and January 25 -- 38,094 corresponding to compromised 32-bit Windows systems and 17,114 to 64-bit systems. The top ten affected countries are Japan, India, Russia, Italy, the U.S., Brazil, Taiwan, Romania, Venezuela and Germany.

"Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size," the SecureWorks researchers said. "Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags fraudMicrosoftmalwaresymantecDell SecureWorks

Featured

Slideshows

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

EDGE 2018: Kiwis kick back with Super Rugby before NZ session

New Zealanders kick-started EDGE 2018 with a bout of Super Rugby before a dedicated New Zealand session, in front of more than 50 partners, vendors and distributors on Hamilton Island.‚Äč

EDGE 2018: Kiwis kick back with Super Rugby before NZ session
EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018: Kiwis assess key customer priorities through NZ research

EDGE 2018 kicked off with a dedicated New Zealand track, highlighting the key customer priorities across the local market, in association with Dell EMC. Delivered through EDGE Research - leveraging Kiwi data through Tech Research Asia - more than 50 partners, vendors and distributors combined during an interactive session to assess the changing spending patterns of the end-user and the subsequent impact to the channel.

EDGE 2018: Kiwis assess key customer priorities through NZ research
Show Comments