ZeroAccess is a sophisticated ad-click fraud scheme that each day generates about 140 million fraudulent ad-clicks and 260 terabytes of network traffic. Kindsight estimates that cybercriminals could be costing advertisers $900,000 per day in ad-click fraud with ZeroAccess.
ZeroAccess bot operators have registered a large number of websites that host pay per click advertisements, Kindsight explains in a detailed analysis of the malware. These sites are built around some standard templates that provide a search interface, display ads and offer domain names for sale. The bots are programmed to click on ads that are hosted by these sites. When the ad is clicked the owner of the web site is paid for the click. The bots visit a C&C server periodically and are given a list of ads to click. This allows the C&C server to dynamically control which ads are chosen, how frequently they are clicked and which bots are used.
"The ZeroAccess botnet has grown significantly to become the most active botnet we've measured this year," said Kevin McNamee, security architect and director, Kindsight Security Labs. "Cybercriminals are primarily using it to take over victim computers and conduct ad-click fraud. With ZeroAccess, they can mimic the human behavior of clicking online ads, resulting in millions of dollars of fraud."
Overall in North America, 13% of home networks in North America were infected with malware in Q3, the report found. That’s down slightly from the 14% reported in the previous quarter. But 6.5% of home networks have high-level threats, such as bots, rootkits and banking Trojans. About 8.1% of households were infected with a moderate threat level malware such as spyware, browser hijackers or adware. Some households had multiple infections including both high and moderate threat level infections.
The main infection method is through malicious websites running exploit kits such as BlackHole, Kindsight researchers explained. “When a victim lands there, it will probe their computer and attempt to infect it. Once the infection process is successful, the kit generally installs a rootkit botnet such as Alureon or ZeroAccess, which is then used to coordinate additional malware activity.”
The victim is attracted to these malicious websites either by offers (often discernible as dubious by wary consumers) of free services in ads or through email scams purporting to be from a business or some level of government (the tax department is a good candidate) informing them of an issue with their account. These mails either contain malicious links or compromised attachments. In some cases that website will directly download fake anti-virus software, a spambot or a banking Trojan like Zeus or SpyEye.
On the mobile side, Android adware is on the rise and being distributed via Google Play. It accounts for a staggering 90% of infections among mobile devices. However, researchers put that number into perspective:
“In mobile networks we found that 0.3% of devices were infected with high-level threats,” researchers said. “The infected devices include Android phones and laptops tethered to a phone on connected directly through a mobile USB stick/hub. The infection rate is low because the total device count includes a large number of feature phones that are not malware targets. However, we saw a 165% increase in the number of Android malware samples.”
For the most part these are all “trojanized” apps that steal information about the phone or send SMS messages, but the company’s list of top threats also includes a banking Trojan that intercepts access tokens for banking websites and two spyware applications that are used to spy on family members or associates.