"A key feature of the ZeroAccess botnet is its use of a peer-to-peer C&C communications architecture, which gives the botnet a high degree of availability and redundancy," the researchers explained in a blog post.
"Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently," they say. "Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet.
Nevertheless, two weaknesses in the P2P communication mechanism were found by the researchers in June and just as they were getting ready to redirect the bots to their own servers, the botmasters began rolling out an updated version of the malware that fixed them.
Realizing that their window of opportunity was rapidly closing down, the researchers thought "it's now or never" and on July 16 began sinkholing every infected machine they managed to reach before the botmasters.
All in all, they managed to "free" some half a million of computers of the 1.9 million that the botnet consisted of, and they are currently working with ISPs and CERTs around the world to help get infected computers cleaned.
The rest of the computers are still "working" - effecting click fraud and mining Bitcoins - and will surely be joined by newly infected ones, as the botmasters use a lucrative Pay-Per-Install affiliate scheme to distribute the droppers.
According to some calculations made by the researchers, the botmasters are likely earning tens of millions dollars per year by operating this botnet. It's no wonder, then, that they are continually innovating and refining their malware.
Symantec researchers are set to share more details about the ZeroAccess botnet sinkholing at the Virus Bulletin Conference that starts in Berlin tomorrow. Yours truly is attending, so expect more about it soon.