Symantec Takes Down a Sizeable Chunk of the ZeroAccess Botnet

ZeroAccess is estimated to be present in 2.2 to 1.9 million computers on any given day. Kindsight Security Labs Malware Report for the end of last year estimated that 1 in every 125 US home networks were infected--and it continues to evolve to better hinder detection and removal.

The bot is notable particularly in its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet an especially high degree of availability and redundancy.

“Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network,” Symantec explained in a blog. “This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently. In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.”

ZeroAccess often delivers a click fraud Trojan to victims; the Trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes.

Perhaps more worryingly, the architecture generates a vast amount of traffic and uses a large amount of energy, particularly when bitcoin mining (one of the botnet’s main activities). Symatec looked into the costs of the botnet to unsuspecting consumers and found that across 1.9 million machines, its energy usage is estimated to be enough to power over 111,000 homes each day—with a corresponding electricity bill of $560,887 per day.

The firm decided in March to initiate a sinkholing project. After identifying a weakness that offered a “difficult, but not impossible,” way to liberate peers from the botmaster, a new version of ZeroAccess rolled out in June. The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed.

“The weakness in the ZeroAccess P2P mechanism was discussed by researchers in a report published in May 2013; this may have prompted the ZeroAccess botmaster to upgrade ZeroAccess to prevent any attempts to sinkhole the ZeroAccess botnet,” Symantec noted.

To try to stay ahead of the updating machines, Symantec swung into action, and on July 16 began to sinkhole infections.

“What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots,” the company said. “This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes.”

In the meantime, Symantec has been working together with ISPs and CERTs worldwide to share information and help get infected computers cleaned.

What’s Hot on Infosecurity Magazine?