Researchers sinkhole half a million ZeroAccess bots
Posted on 01.10.2013
Bookmark and Share
In a race against time and ZeroAccess developers and botmasters, Symantec researchers managed to sinkhole a large chunk of the infamous P2P-based botnet before its herders managed to update the bots and close down the security holes that allowed the researchers to do so.


"A key feature of the ZeroAccess botnet is its use of a peer-to-peer C&C communications architecture, which gives the botnet a high degree of availability and redundancy," the researchers explained in a blog post.

"Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently," they say. "Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet.

Nevertheless, two weaknesses in the P2P communication mechanism were found by the researchers in June and just as they were getting ready to redirect the bots to their own servers, the botmasters began rolling out an updated version of the malware that fixed them.

Realizing that their window of opportunity was rapidly closing down, the researchers thought "it's now or never" and on July 16 began sinkholing every infected machine they managed to reach before the botmasters.

All in all, they managed to "free" some half a million of computers of the 1.9 million that the botnet consisted of, and they are currently working with ISPs and CERTs around the world to help get infected computers cleaned.

The rest of the computers are still "working" - effecting click fraud and mining Bitcoins - and will surely be joined by newly infected ones, as the botmasters use a lucrative Pay-Per-Install affiliate scheme to distribute the droppers.

According to some calculations made by the researchers, the botmasters are likely earning tens of millions dollars per year by operating this botnet. It's no wonder, then, that they are continually innovating and refining their malware.

Symantec researchers are set to share more details about the ZeroAccess botnet sinkholing at the Virus Bulletin Conference that starts in Berlin tomorrow. Yours truly is attending, so expect more about it soon.









Spotlight

Nearly 70% of critical infrastructure providers suffered a breach

Posted on 10 July 2014.  |  Nearly 70% of companies that are responsible for the world's power, water and other critical functions have reported at least one security breach that led to the loss of confidential information or disruption of operations in the past 12 months.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Jul 11th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //