Browse archive

Latest news

Oracle releases critical security updates for Java

Failed backups endanger revenue and productivity

The security of WordPress plugins

How to detect hidden administrator apps on Android

Key obstacles to effective IT security strategies

CyanogenMod founder aims to thwart data-grabbing apps

Businesses not fully implementing infosec programs

Is accessing work apps on the move destructive?

Microsoft releases Enhanced Mitigation Experience Toolkit 4.0

New regulation for ENISA, the EU cybersecurity agency

Hacking charge stations for electric cars

Lucrative ZeroAccess botnet enslaves one million active computers

Posted on 20 September 2012.

The ZeroAccess rootkit has been around for quite some time now, spying on infected users, hiding from installed AV solutions and attempting to terminate them, redirecting users' online searches to malicious pages, downloading additional malware, and waiting for commands from criminals.

The compromised computers are enslaved into a peer-to-peer botnet that has slowly grown over the years and now counts around one million active infected PCs. The number is huge, but when compared to the nine million computers that had the most recent version of the rootkit installed at one point, it seems not that bad.

The largest numbers of infected machines were predictably spotted in the US, Canada and Western Europe, although there is seemingly no country in the world that doesn't have at least one infected computer:

"Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining," shared Sophos' Senior Threat Researcher James Wyke. "If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day."

Despite recent changes to the rootkit, it still acts as a malware delivery platform. The changes include a new P2P protocol, filed stored in a different location, a new autostart feature that hooks into the registry, and the use of a user-mode rootkit in 32-bit Windows.

Users usually get saddled with the rootkit when inadvertently visiting sites hosting exploit kits, when searching fake key generators, cracks and game downloads, or when already infected with malware that downloads additional malware on the machine.

"One reason for the continued growth of ZeroAccess is that the authors are using a lucrative Pay-Per-Install affiliate scheme to distribute the droppers," Wyke points out.

Users who wish to protect themselves against the rootkit (and other malware) are advised to install a reputable AV solution and keep it up to date, as most of them detect the various ZeroAccess variants.

For more detail about the malware and the botnet, download Sophos' report.