Video Screencast Help
Security Community Blog

Is this the end of ZeroAccess botnet?

Created: 08 Jan 2014 • Updated: 08 Jan 2014
SebastianZ's picture
0 0 Votes
Login to vote

It appears so. Zeroaccess botnet responsible for infecting around 2 million computers worldwide was targeted at making money through pay-per click advertising. It is also known it was able to download other threats like misleading applications on the compromised machines. It would download additional software in order to mine bitcoin currency. While the malicious activity was in progress the Trojan.Zeroaccess would hide itself with help of very advance rootkit.

Already in July 2013 Symantec Security Response Engineers managed to "sinkhole" over 25% botnet machines following an extensive study on finding out the ways of bots communication. Making use of a weakness in Zeroaccess P2P mechanism ca. 500k machines were freed from the botnet. In the meantime the botnet creators distributed a new version of Zeroaccess that addressed the found design flaw. More information about the Symantec Security Response study and operation may be found here:

Grappling with the ZeroAccess Botnet

https://www-secure.symantec.com/connect/blogs/grappling-zeroaccess-botnet

 

In December 2013 Microsoft Digital Crimes Unit filled its civil case in the U.S. District Court for the Western District of Texas against the ZeroAccess botnet. They have as well received authorization from the Court to block incoming and outgoing traffic between computers in US and 18 identified IP addresses being used for fraudulent actions. Microsoft took also control over 49 domains assiociated with ZeroAccess botnet. Microsoft actions were coordinated with Europol law enforcement agency to execute search warrants on the identified IP addresses in Europe.

As Microsoft suggested the expectations of the action were not to fully eliminate the botnet as due to its complexity but to "disrupt its operations significantly" and this seemed to have worked really well as since all the measures taken in December there was no new ZeroAccess code released by the malware authors. It seems as well the bot-herders have halted their actions while seeding "White Flag" in the code of one of the last updates send to infected computers - this may suggest they decided to give up control of the botnet for good.

Recent SophosLabs studies just published this week show as well no growth in the size of the botnet but even indicate complete stop in the number of new Droppers. This together with dropping number of ZeroAccess detections would suggest a significant success of the worldwide actions against the botnet. The future months will show if this is the end or if we see any evolution of this threat.

 

References:

Microsoft, the FBI, Europol and industry partners disrupt the notorious ZeroAccess botnet
http://www.microsoft.com/en-us/news/press/2013/dec13/12-05zeroaccessbotnetpr.aspx

ZeroAccess criminals wave white flag: The impact of partnerships on cybercrime
http://blogs.technet.com/b/microsoft_blog/archive/2013/12/19/zeroaccess-criminals-wave-white-flag-the-impact-of-partnerships-on-cybercrime.aspx

Microsoft and partners fight back against the ZeroAccess botnet
http://nakedsecurity.sophos.com/2013/12/06/microsoft-and-partners-take-down-zeroaccess-botnet

Have we seen the end of the ZeroAccess botnet?
http://nakedsecurity.sophos.com/2014/01/07/have-we-seen-the-end-of-the-zeroaccess-botnet