ZeroAccess botnet

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.[1]

History and propagation[edit]

The ZeroAccess botnet was discovered at least around May 2011.[2] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.[3] Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.[4][5]

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.[6][7]

In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.[8]

Operation[edit]

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or Click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.[9] The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,[10][11] costing advertisers $900,000 a day in fraudulent clicks.[12] Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system[citation needed]. It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.

The software also looks for the Tidserv malware and removes it if it finds it.[13]

See also[edit]

References[edit]

  1. ^ https://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99
  2. ^ Monthly Malware Statistics, May 2011 (Securelist)
  3. ^ Wyke, James (19 September 2012). "Over 9 million PCs infected – ZeroAccess botnet uncovered". Sophos. Retrieved 27 December 2012. 
  4. ^ Jackson Higgins, Kelly (Oct 30, 2012). "ZeroAccess Botnet Surges". Dark Reading. Archived from the original on 2012-12-03. Retrieved 27 December 2012. 
  5. ^ Kumar, Mohit (19 Sep 2012). "9 million PCs infected with ZeroAccess botnet - Hacker News, Security updates". The hacker news. Retrieved 27 December 2012. 
  6. ^ Wyke, James. "The ZeroAccess rootkit". Sophos. p. 2. Retrieved 27 December 2012. 
  7. ^ Mimoso, Michael (30 October 2012). "ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining". ThreatPost. Archived from the original on 2012-12-03. Retrieved 27 December 2012. 
  8. ^ Gallagher, Sean (6 December 2013). "Microsoft disrupts botnet that generated $2.7M per month for operators". Ars Technica. Retrieved 9 December 2013. 
  9. ^ Wyke, James. "The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain" (PDF). Sophos. pp. (Page 45). Retrieved 27 December 2012. 
  10. ^ Leyden, John (24 September 2012). "Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army". The Register. Retrieved 27 December 2012. 
  11. ^ Ragan, Steve (31 October 2012). "Millions of Home Networks Infected by ZeroAccess Botnet". SecurityWeek. Retrieved 27 December 2012. 
  12. ^ Dunn, John E (2 November 2012). "ZeroAccess bot has infected 2 million consumers, firm calculates". Techworld. Retrieved 27 December 2012. 
  13. ^ https://www.symantec.com/security_response/writeup.jsp?docid=2011-071314-0410-99

External links[edit]