ZeroAccess, explained Europol in an announcement late last night, "is used to commit a slew of crimes including search hijacking, which ‘hijacks’ people’s search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks. Zeroaccess also commits click fraud, which occurs when advertisers pay for clicks that are not the result of legitimate, interested human users’ clicks, but are the result of automated web traffic and other criminal activity."
It's a P2P-controlled botnet. Rather than instructions coming from a single central C&C server (relatively easy to takedown) it is controlled via an infrastructure of tens of thousands of PCs (almost impossible to takedown). Nevertheless, the operation led by the Microsoft Digital Crimes Unit in the US and supported by coordinated Europol action in Europe is likely to inflict serious disruption on the botnet.
We expect, explained Microsoft Assistant General Counsel Richard Domingues Boscovich in a company blog posting yesterday, "this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes."
In the US, Microsoft sought and obtained court authority to block incoming and outgoing communications between infected computers. It also identified 18 IP addresses situate in Europe at the heart of the scheme. In a multi-jurisdictional operation involving law enforcement agencies in Germany, Latvia, Luxembourg, Switzerland and the Netherlands, says Europol, "search warrants and seizures on computer servers associated with the fraudulent IP addresses were executed in several of the involved countries."
It is not claimed that this is the end of ZeroAccess. "I doubt if it’s going to take Zeroaccess off the metaphorical streets permanently any more than previous disruptions," ESET senior research fellow David Harley told Infosecurity: "P2P botnets are notoriously hard to kill, and this one has shown more resilience and ability to evolve than most in the face of previous attempts to rein it in."
Indeed, Boscovich describes the operation as a 'disruption' rather than a 'takedown'. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes."
Microsoft will now seek to notify ZeroAccess-infected users. Since, says Boscovich, "ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible."