The report found the ZeroAccess botnet grew to more than 1.2 million super nodes that resulted in ad-click fraud able to consume the equivalent bandwidth of downloading 45 full-length movies per month per subscriber, the report explained.
Kindsight explained how the ZeroAccess botnet burns through bandwidth.
The ZeroAccess bots “receive instructions from a controller directing them to click on ads on specific web sites. The web site owner gets paid by the advertiser on a per click basis usually through the intermediary of an ad network. The advertisers and ad network operator have a number of safeguards in place to protect against click fraud. The bot tries to circumvent these by simulating normal human browsing behavior. This involves using a relatively low click rate and responding to redirects, cookies and scripting as would a regular browser. Despite this low profile, the bot operates 24 hour a day, seven days a week, so the bandwidth utilization for all that browsing adds up over time.”
ZeroAccess is the second highest threat level malware, behind only Flashback, according to Kindsight. The report explained how ZeroAccess has recently modified its command and control protocol.
“The underlying structure and function of the bot remain the same, but the command and control (C&C) protocol also changed in Q2 to a combination of TCP [transmission control protocol] and UDP [user datagram protocol]. The botnet continues to be very prolific with this new variety infecting about 0.8% of the home networks observed by Kindsight”, the report related.