The compromised computers are enslaved into a peer-to-peer botnet that has slowly grown over the years and now counts around one million active infected PCs. The number is huge, but when compared to the nine million computers that had the most recent version of the rootkit installed at one point, it seems not that bad.
The largest numbers of infected machines were predictably spotted in the US, Canada and Western Europe, although there is seemingly no country in the world that doesn't have at least one infected computer:
"Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining," shared Sophos' Senior Threat Researcher James Wyke. "If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day."
Despite recent changes to the rootkit, it still acts as a malware delivery platform. The changes include a new P2P protocol, filed stored in a different location, a new autostart feature that hooks into the registry, and the use of a user-mode rootkit in 32-bit Windows.
Users usually get saddled with the rootkit when inadvertently visiting sites hosting exploit kits, when searching fake key generators, cracks and game downloads, or when already infected with malware that downloads additional malware on the machine.
"One reason for the continued growth of ZeroAccess is that the authors are using a lucrative Pay-Per-Install affiliate scheme to distribute the droppers," Wyke points out.
Users who wish to protect themselves against the rootkit (and other malware) are advised to install a reputable AV solution and keep it up to date, as most of them detect the various ZeroAccess variants.
For more detail about the malware and the botnet, download Sophos' report.