Video Screencast Help

Grappling with the ZeroAccess Botnet

Created: 30 Sep 2013 13:07:00 GMT • Updated: 23 Jan 2014 18:04:05 GMT • Translations available: 日本語
Symantec Security Response's picture
+4 4 Votes
Login to vote

The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013. A key feature of the ZeroAccess botnet is its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet a high degree of availability and redundancy. Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently. In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts. 

Sinkholing the botnet
Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed. During this process, we examined a weakness that offered a difficult, but not impossible, way to sinkhole the botnet. We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster. During this time, we continued to monitor the botnet and on June 29, we noticed that a new version of ZeroAccess being distributed through the peer-to-peer network. The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed. The weakness in the ZeroAccess P2P mechanism was discussed by researchers in a report published in May 2013; this may have prompted the ZeroAccess botmaster to upgrade ZeroAccess to prevent any attempts to sinkhole the ZeroAccess botnet.
 
Having seen the changes beginning to roll out, and with a viable plan in place, we were faced with an option: start our operations now or risk losing the initiative. On July 16, we began to sinkhole ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed. To understand the potential impact of this, we need to consider what the ZeroAccess botnet is used for.
 
ZeroAccess: the courier service
Given its construction and behavior, ZeroAccess appears to be primarily designed to deliver payloads to infected computers. In a ZeroAccess botnet, the productive activity (from an attacker’s point of view) is performed by the payloads downloaded to compromised computers, which boil down to two basic types, both aimed at revenue generating activities.
 
Click fraud
One type of payload we’ve seen is the click fraud Trojan. The Trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes
 
Bitcoin mining
The virtual currency holds a number of attractions for cybercriminals. The way each bitcoin comes into existence is based on the carrying out of mathematical operations known as “mining” on computing hardware. This activity has a direct value to the botmaster and a cost to unsuspecting victims; we took a closer look at the economics and impact of this activity using some old computers available in our labs. 
 
The economics of ZeroAccess
Out of interest, we took some old hardware that we had lying around in the office to test what kind of impact the ZeroAccess botnet would have in terms of energy usage and the economics of these activities. We looked at both click fraud and bitcoin mining but focussed on the bitcoin mining because it is potentially the most intensive activity undertaken by the bots and has a direct economic value to the botmaster. We infected the test lab computers with ZeroAccess and then set them bitcoin mining, we also had a clean control computer that was just allowed to idle. We hooked the computers up to power meters to see the amount of power being consumed by the test computers. The results make for some interesting reading.
 
Test computer specifications:
Model: Dell OptiPlex GX620 Pentium D 945 3.4GHz 2GB (Max TDP 95W) 
Measured energy usage per hour: 136.25 Watts (mining)
Measured energy usage per hour: 60.41 Watts (idle)
MHash/S: 1.5
 
Assuming the following details for bitcoin mining:
Bitcoin/USD rate: 131
Bitcoin difficulty factor: 86933017.7712
 
Bitcoin mining
With this kind of a rig, bitcoin mining with a single computer was always going to be an exercise in futility. Operating this rig for a whole year would only yield a measly US$0.41! But if you had 1.9 million bots available, the equation changes completely. Now thousands of dollars a day could potentially be generated by the botnet. Of course not every computer is going to be available all day every day and each computer in a botnet will have different performance levels, loading, and up time so this amount is a rough approximation. For our estimates, we assume that all these bots are operating 24 hours a day and that each bot has the same specification as our test machines. 
 
Click fraud
The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day. They also generated around 42 false ad clicks an hour (1008 each day). While each click may pay a penny or even a fraction of a penny, across 1.9 million infected machines, the attacker is potentially generating tens of millions of dollars a year. 
 
Now that we know the potential value of these activities, let’s look at what the costs are to run such a botnet in terms of electrical costs?
 
The energy costs
To work out the cost of ZeroAccess to an unsuspecting victim, we calculate the difference between the cost of bitcoin mining versus the cost of the computer idling; for our test setup it works out at an extra 1.82 KWh each day, which is not a whole lot for one victim to pay.
 
Energy used when mining: (136.25/1000)*24 = 3.27 KWh per day
Energy used when idle: (60.41/1000)*24 = 1.45 KWh per day
Difference: 1.82 KWh per day
 
These figures give some indications of the additional power requirements of bitcoin mining on a single computer infected by ZeroAccess. We can now extrapolate these figures out to 1.9 million bots and see what the total cost/impact is likely to be for the whole botnet. 
 
If each KWh of electricity costs $0.162 then it would cost $0.29 to mine on a single bot for 24 hours. But multiply this figure by 1.9 million for the whole botnet and we are now looking at energy usage of 3,458,000 KWh (3,458 MWh, enough to power over 111,000 homes each day.) This amount of energy is considerably greater than the output of the largest power station in Moss Landing, California, which could produce 2,484 MW and would come with a corresponding electricity bill of $560,887 a day. Despite the costs, all this energy will create just $2165 worth of bitcoins a day! With these sorts of sums it would not be economic to undertake bitcoin mining with this setup if you had to pay for it yourself. But if the bitcoins are being mined at someone else’s expense, then that changes the picture completely and it becomes a highly attractive proposition.
 
Stopping P2P botnets is hard but not impossible
What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes.
 
In the meantime, Symantec have been working together with ISPs and CERTs worldwide to share information and help get infected computers cleaned. 
 
Interested in learning more?
Ross Gibb and Vikram Thakur will be presenting their findings from this operation at the annual Virus Bulletin Conference to be held in Berlin, October 2-4, 2013. In addition, a comprehensive white paper will be released soon to coincide with the presentation laying out the inner details of the ZeroAccess threat.
 
We have also created an infographic that summarizes the key facts and figures about the ZeroAccess Trojan.
 
zeroaccess_blog_infographic.png
 
 

Update - October 03, 2013:
For a more detailed look into ZeroAccess and Symantec's sinkholing of roughly half of the entire botnet, read the Security Response whitepaper:
ZeroAccess Indepth