On Monday September 30, 2013, an article was posted on the Symantec Security Response blog detailing Symantec’s efforts at sinkholing 500,000 of the bots belonging to the ZeroAccess botnet. As of August 2013, the botnet is one of the largest in existence today with a population in upwards of 1.9 million computers. ZeroAccess uses peer-to-peer (P2P) as its command-and-control (C&C) communications mechanism.
In March of this year, Symantec security engineers began to study the mechanisms used by ZeroAccess bots to communicate with each other in an attempt to determine if they could be sinkholed. On June 29, they observed a new version of ZeroAccess being distributed through the P2P network. The updated version addressed the design flaw that made the botnet vulnerable to being sinkholed. However, Symantec was still successful in sinkholing a large portion of the botnet.
On July 16, Symantec began sinkholing ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots, significantly reducing the number of bots controlled by the bot master.
The ZeroAccess botnet was originally discovered on or around July 13, 2011. ZeroAccess is a Trojan horse that uses an advanced rootkit to hide itself. ZeroAccess can also create a hidden file system, download additional malware, and open a backdoor on the compromised computer.
The ZeroAccess botnet is designed to deliver payloads to infected computers. The payloads downloaded are primarily used for revenue generation purposes (Bitcoin Mining and Click Fraud).
- Click Fraud
- One type of payload we’ve seen is the click fraud Trojan. The Trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes.
- Bitcoin Mining
- The virtual currency holds a number of attractions for cybercriminals. The way each bitcoin comes into existence is based on the carrying out of mathematical operations known as “mining” on computing hardware. This activity has a direct value to the bot master and a cost to unsuspecting victims (increased utility bill).
The threat is distributed through several means, with drive-by-download being the most common attack vector. A compromised website may redirect the user to a malicious website designed to exploit the unsuspecting user and install ZeroAccess. A user can also click on an attachment in a phishing email which results in ZeroAccess being installed in the background without the user knowing.
SOC DETECTION CAPABILITIES:
For customers with our IDS/IPS Security Management services, vendor-based signatures will be automatically deployed, as per the vendor's recommendation. If you would like further information regarding the signature states on your devices, or would like to request the activation of a specific signature, please contact your Services Manager, or hte Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
For customers with monitor-only IDS/IPS devices, Symantec MSS stands ready to provide security monitoring once your IDS/IPS vendor releases signatures and those signatures are enabled on your monitored devices.
COMPONENTS AND DETECTION
- ZeroAccess – MSS detection:
- Hot IP - ZeroAccess Sinkhole Activity
- Hot IP - ZeroAccess CnC Traffic (via 53/UDP)
- Hot IP - ZeroAccess CnC Traffic (via 123/UDP)
- Hot IP - ZeroAccess CnC Traffic
- Hot IP - Trojan.ZeroAccess P2P Botnet Node (2)
- Hot IP - Trojan.ZeroAccess P2P Botnet Node (1)
- Hot IP - Potential ZeroAccess Stats Tracker Ping (via port 53/123)
- Hot IP - Potential ZeroAccess Stats Tracker Ping (via port 123) (2)
- Hot IP - Potential ZeroAccess Stats Tracker Ping (53/UDP)
- [MSS URL Detection] ZeroAccess bot callback (click fraud)
- [MSS URL Detection] Trojan.ZeroAccess Malicious Download
- [MSS URL Detection] Trojan.ZeroAccess CnC Traffic
- ZeroAccess – Vendor Detection:
- McAfee AV
- McAfee Endpoint Protection
- NetScreen IDP
- Palo Alto Networks Firewall
- Symantec AV
- Symantec Endpoint Protection IPS Signatures
MITIGATION STRATEGIES AND RECOMMENDATIONS:
- Symantec recommends customers use a layered approach to securing their environment, utilizing the latest Symantec technologies, including Enterprise-Wide security monitoring from Edge to Endpoint.
- For technologies not monitored/managed by MSS, ensure all signatures are up to date, including endpoint technologies.
- Ensure all operating systems and public facing machines have the latest security patches, and antivirus software and definitions up to date.
- Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
- Ensure staff is educated on Social Engineering and Phishing techniques.
WHAT TO EXPECT FROM MSS:
Symantec MSS SOC security analysts will continue to diligently monitor, analyse, and validate any events indicative of the ZeroAccess Trojan. MSS will also continue to perform ongoing refinement of detection.
- Grappling with the ZeroAccess Botnet:
- Trojan.ZeroAccess Write Up:
- Symantec Paws at ZeroAccess Botnet:
- Symantec Takes Down Portion of Massive ZeroAccess Botnet:
We thank you again for choosing Symantec as your Managed Security Services Provider. Should you have any questions or feedback, please contact your Services Manager, or the Analysis Team can be reached by requesting help via phone, e-mail, or visiting the MSS portal at https://mss.symantec.com.
Global Client Services Team
Symantec Managed Security Services