Can't keep this bad boy down: ZeroAccess botnet back in business

After a six-month break the ZeroAccess botnet resumes click-fraud activity

A peer-to-peer botnet called ZeroAccess came out of a six-month hibernation this month after having survived two takedown attempts by law enforcement and security researchers.

At its peak in 2013, ZeroAccess, also known as Sirefef, consisted of more than 1.9 million infected computers that were primarily used for click fraud and Bitcoin mining.

That was until security researchers from Symantec found a flaw in the botnet's resilient peer-to-peer architecture. This architecture allowed the bots to exchange files, instructions and information with each other without the need for central command-and-control servers, which are the Achilles' heel of most botnets.

By exploiting the flaw, Symantec managed to detach over half a million computers from ZeroAccess in July 2013 and launched an effort to clean them up in cooperation with ISPs and CERTs.

In December that same year the FBI, Europol, Microsoft and several security vendors launched a second operation that further crippled the botnet and led to those behind it capitulating. The botnet operators actually sent an update to the infected machines that contained the message "WHITE FLAG."

"We believe [that action] symbolizes that the criminals have decided to surrender control of the botnet," Richard Domingues Boscovich, assistant general counsel with the Microsoft Digital Crimes Unit, said at the time in a blog post.

It didn't last long. Cybercriminals reactivated the botnet and used it between March 21 and July 2, 2014, but then -- silence. Until now.

The botnet was reactivated on January 15, when it "again began distributing click-fraud templates to compromised systems," researchers from Dell SecureWorks said in a blog post Wednesday.

To perpetrate click fraud, malware displays ads on infected computers and clicks on them, masking the clicks as legitimate user actions in order to generate advertising income for the botnet operators.

ZeroAccess is only a shadow of its former self, as the attackers did not attempt to infect new systems since December 2013. However, the new activity this year indicates that they haven't completely given up on it.

The Dell SecureWorks researchers observed 55,208 unique IP addresses participating in the botnet between January 17 and January 25 -- 38,094 corresponding to compromised 32-bit Windows systems and 17,114 to 64-bit systems. The top ten affected countries are Japan, India, Russia, Italy, the U.S., Brazil, Taiwan, Romania, Venezuela and Germany.

"Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size," the SecureWorks researchers said. "Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securityfraudMicrosoftmalwaresymantecDell SecureWorks

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?