ZeroAccess – The Sleeping Threat

Thursday, February 20, 2014

Edward Jones

094983f35f079e5bd15fdc2f9ce9297c

ZeroAccess, also known as Sirefef, is one of the most robust and durable botnets in recent history. It was first discovered back in July 2011 and has since infected almost 2 million Windows computers all over the world and cost online advertisers over £1.6 million each month through fraudulent clicks!

How it works

By hijacking search results and by directing people to dangerous websites that install malware onto their computers, ZeroAccess is able to steal victims’ personal information or fraudulently charge businesses for online advertisement clicks. The botnet does this by targeting search engines and browsers, including Google, Yahoo and Bing.

Due to the botnet architecture, ZeroAccess was built to be tough and difficult to disrupt. It relies on a peer-to-peer infrastructure, which allows cybercriminals to control the botnet remotely from tens of thousands of different computers – which are aptly named ‘Zombie Computers.’

Computers are often infected with the ZeroAccess bonet as a direct result of “drive-by-downloads”. These are usually websites created by cybercriminals, which downloads malware onto any unprotected computer that visits the site. Computers are also infected through illegal or counterfeit software, where ZeroAccess is disguised as legitimate software, tricking victims into downloading the botnet into their computer.

The Stats

Research by UC San Diego found that more than 800,000 ZeroAccess-infected computers were active and connected at any given time. It was also found that the ZeroAccess malware disables security features on infected computers. This leaves them susceptible to other infections, making it critical for victims to remove ZeroAccess by using malware removal or anti-virus software as quickly as possible.

In 2011, Microsoft and Symantec were able to monitor the traffic going to oneof the botnet's servers. Vikram Thakur, principal security response manager at Symantec stated, "We got back data that showed that 3 million clicks were being hijacked by that server on a daily basis".

Based on a conservative estimate of the advertising value for each click, the companies calculated that the cybercriminals were making over $1 million a year from advertising networks.  "And it could have been 2 or 3 times that much," he added.

How it was taken down

Because of the impact the botnet had to millions of innocent victims, Microsoft’s new Digital Crimes Unit took action with the help of several partners and managed to “significantly disrupted” it

Microsoft filed a civil suit against the cybercriminals responsible for the ZeroAccess botnet and won the right to stop infected computers in the USA from communicating with the 18 IP addresses identified as the servers that ZeroAccess was controlled from.

Microsoft was also able to take over 49 domains associated with ZeroAccess, with the help from A10 Networks. Europol helped by working with Latvia, Luxembourg, Switzerland, the Netherlands, and Germany to serve warrants on the servers linked with the 18 IP addresses.

David Finn, executive director of Microsoft Digital Crimes Unit, said in a statement that “The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection.”

He added: “Microsoft is committed to working collaboratively—with our customers, partners, academic experts and law enforcement—to combat cybercrime. And we’ll do everything we can to protect computer users from the sinister activities and criminal networks that victimize innocent people and businesses around the world.”

The legal and technical action significantly disrupted the botnet’s operations by forcing the cyercriminals to rebuild their criminal infrastructure and change their criminal-business model. The action also prevented victims’ ‘Zombie Computers’ from committing the fraudulent schemes. They were able to notify people around the world if their computer was infected, and made the information available through its Cyber Threat Intelligence Program (C-TIP).

But ZeroAccess wasn’t going down without a fight, it managed to block attempts to remove it, forcing Microsoft to recommend people who think they might be infected to visit http://support.microsoft.com/botnets for detailed instructions on how to remove the threat.

Is there any future threat?

Despite the command and control servers being shut down, the botnets peer-to-peer connection between infected systems allowed it to spread software updates, new configuration information, and other payloads.

The command and control servers targeted by Microsoft only delivered part of the overall clickfraud package, which included instructions on where to redirect traffic and the data required to get credit for the click from the advertiser.

Microsoft and its partners in this operation, Europol’s Cybercrime Center and Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, were able to monitor the peer-to-peer communication activity, and was able to identify and track down new IP addresses used in fraud schemes under the new configuration.

“After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message ‘WHITE FLAG,’ which we believe symbolizes that the criminals have decided to surrender control of the botnet, since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.”

Does the White Flag mean the botnet is finished?

Damballa researcher Yacin Nadji, wrote a post stating that he doesn’t believe the WHITE FLAG message of surrender.

“As far as we can see, the P2P communication channel is still operational. The ‘WHITE FLAG’ message simply shows that the botmasters can communicate with the infected hosts at their leisure”.

He added “Given all the media attention focused on ZeroAccess now, immediately re-engaging in fraudulent activities is probably not in the botmasters’ best interest. The point remains that, until the P2P network is disrupted, the botnet can resume malicious activities at any time.”

If the White Flag message really meant the botnet has been abandoned, then ZeroAccess would be one of the first peer-to-peer botnets to be shut down in such an effort.

Although Microsoft in the past has led efforts to demolish botnets such as Kelihos and Nitol using a similar coordinated effort with U.S. and international law enforcement, those botnets worked off of a centralized command and control infrastructure and Microsoft was able to find the relatively small number of command servers.

Communication in a peer-to-peer botnet is much different and much harder to demolish. In this case, cybercriminals write a custom protocol that supports communication between bots; through this channel, updates and configuration changes are shared, instead of using a single point of failure.

In a 2013 research report, it was found that P2P botnets were resilient to sinkholing and other takedown methods. ZeroAccess updated its peer lists automatically every few seconds and would communicate only through the 256 most recent peers.

Dr. Brett Stone-Gross, a senior security researcher with Dell SecureWorks stated that “P2P networks are more complex to design, implement, and maintain than a centralized infrastructure and they may still be vulnerable to attacks,” he added: “There are also ways to harden a centralized botnet to make it more resilient to takedown efforts, so P2P may not be worth the additional effort.”

Dr. Brett Stone-Gross also stated that “It is very easy for the attackers to restore click-fraud capabilities, they can simply push new click-fraud modules (or other types of malware) and configuration files through the P2P network whenever they choose.”

It seems that the only way to effectively demolish the ZeroAccess botnet would be to clean all of the infected PCs of the malware.

About the Author: Edward Jones works for Firebrand Training as a technical writer. Having worked in the industry for 3 years, Edward has experience with a range of Microsoft technologies and operating systems. Edward writes for a variety of blogs and technical publications on all things technology.

Related Reading: Microsoft Disrupts ZeroAccess Botnet (SecurityWeek)

Related Reading: ZeroAccess Most Active Botnet in Q4 2012, Kindsight Reports

Related Reading: How a Security Industry Collective Shattered The Latest Hlux/Kelihos Botnet

Possibly Related Articles:
6429
Viruses & Malware
malware ZeroAccess botnet
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.