ZeroAccess, also known as max++ and Sirefef, is Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.
History and propagation
The ZeroAccess botnet was originally discovered around July 2011. The ZeroAccess rootkit responsible for the botnet spread is estimated to have been present on at least 9 million systems. Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.
The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.
In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.
Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: Bitcoin mining or Click fraud. Machines involved in Bitcoin mining generate Bitcoins for their controller, the estimated worth of which was estimated at 2.7 million US dollars per year in September 2012. The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day, costing advertisers $900,000 a day in fraudulent clicks. Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers, giving it total control over the operating system. It also disables the Windows Security Center, removing the Security Center service, Firewall and Defender, from Windows 7. Zeroaccess also hooks itself into the tcp/ip stack, to help with the Click fraud.
- Shearer, Jarrad (July 13, 2011). "Trojan.Zeroaccess". Symantec. Retrieved 27 December 2012.
- Leyden, John (24 September 2012). "Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army". The Register. Retrieved 27 December 2012.
- Wyke, James (September 19, 2012). "Over 9 million PCs infected – ZeroAccess botnet uncovered". Sophos. Retrieved 27 December 2012.
- Jackson Higgins, Kelly (Oct 30, 2012). "ZeroAccess Botnet Surges". Dark Reading. Retrieved 27 December 2012.
- Kumar, Mohit (19 Sep 2012). "9 million PCs infected with ZeroAccess botnet - Hacker News , Security updates". The hacker news. Retrieved 27 December 2012.
- Wyke, James. "The ZeroAccess rootkit". Sophos. p. 2. Retrieved 27 December 2012.
- Mimoso, Michael (October 30, 2012). "ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining". ThreatPost. Retrieved 27 December 2012.
- Gallagher, Sean (6 December 2013). "Microsoft disrupts botnet that generated $2.7M per month for operators". Ars Technica. Retrieved 9 December 2013.
- Wyke, James. "The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain" (PDF). Sophos. pp. (Page 45). Retrieved 27 December 2012.
- Ragan, Steve (October 31, 2012). "Millions of Home Networks Infected by ZeroAccess Botnet". SecurityWeek. Retrieved 27 December 2012.
- Dunn, John E (2 November 2012). "ZeroAccess bot has infected 2 million consumers, firm calculates". Techworld. Retrieved 27 December 2012.
- Analysis of the ZeroAccess botnet, created by Sophos.
- ZeroAccess Botnet, Kindsight Security Labs.
- New C&C Protocol for ZeroAccess, Kindsight Security Labs.