Login
Login

ZeroAccess botnet

{{Short description|Windows-platform based Trojan horse computer malware}}

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.{{Cite web|url=https://www.broadcom.com/support/security-center/detected-writeup|title=Risk Detected|website=www.broadcom.com}}

History and propagation

The ZeroAccess botnet was discovered at least around May 2011.{{Cite web|url=https://securelist.com/monthly-malware-statistics-may-2011/31991/|title=Monthly Malware Statistics, May 2011|website=securelist.com}} The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.{{cite web|url=http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/|title=Over 9 million PCs infected – ZeroAccess botnet uncovered|last=Wyke|first=James|date=19 September 2012|work=Sophos|access-date=27 December 2012}} Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.{{cite web|url=http://www.darkreading.com/insider-threat/167801100/security/client-security/240012561/zeroaccess-botnet-surges.html|archive-url=https://web.archive.org/web/20121203211830/http://www.darkreading.com/insider-threat/167801100/security/client-security/240012561/zeroaccess-botnet-surges.html|archive-date=2012-12-03|title=ZeroAccess Botnet Surges|last=Jackson Higgins|first=Kelly|date=Oct 30, 2012|work=Dark Reading|access-date=27 December 2012}}{{cite web|url=http://thehackernews.com/2012/09/9-million-pcs-infected-with-zeroaccess.html|title=9 million PCs infected with ZeroAccess botnet |last=Kumar|first=Mohit|date=19 Sep 2012|work=The Hacker News|access-date=27 December 2012}}

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system.{{cite web|url=http://nakedsecurity.sophos.com/zeroaccess2/|title=The ZeroAccess rootkit|last=Wyke|first=James|work=Sophos|date=4 April 2012 |page=2|access-date=27 December 2012}}{{cite web|url=http://threatpost.com/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012|archive-url=https://web.archive.org/web/20121203160428/http://threatpost.com/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012|archive-date=2012-12-03|title=ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining|last=Mimoso|first=Michael|date=30 October 2012|work=ThreatPost|access-date=27 December 2012}}

In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.{{cite web|url=https://arstechnica.com/security/2013/12/microsoft-disrupts-botnet-that-generated-2-7m-per-month-for-operators/|title=Microsoft disrupts botnet that generated $2.7M per month for operators|last=Gallagher|first=Sean|date=6 December 2013|work=Ars Technica|access-date=9 December 2013}}

Operation

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.{{cite web|url=https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true|title=The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain|last=Wyke|first=James|work=Sophos|pages=(Page 45)|access-date=27 December 2012}} The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,{{cite web|url=https://www.theregister.co.uk/2012/09/24/zeroaccess_botnet/|title=Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army|last=Leyden|first=John|date=24 September 2012|work=The Register|access-date=27 December 2012}}{{cite web|url=http://www.securityweek.com/millions-home-networks-infected-zeroaccess-botnet|title=Millions of Home Networks Infected by ZeroAccess Botnet|last=Ragan|first=Steve|date=31 October 2012|work=SecurityWeek|access-date=27 December 2012}} costing advertisers $900,000 a day in fraudulent clicks.{{cite web|url=http://www.pcadvisor.co.uk/news/security/zeroaccess-bot-has-infected-2-million-consumers-firm-calculates-3408841/|title=ZeroAccess bot has infected 2 million consumers, firm calculates|last=Dunn|first=John E. |date=2 November 2012|work=Techworld|access-date=27 December 2012}} Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system.{{Citation needed|date=December 2013}} It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.

The software also looks for the Tidserv malware and removes it if it finds it.

See also

References

{{reflist}}

External links

  • [http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf Analysis of the ZeroAccess botnet], created by Sophos.
  • [https://web.archive.org/web/20140710070427/http://www.kindsight.net/sites/default/files/Kindsight_Malware_Analysis-ZeroAcess-Botnet-final.pdf ZeroAccess Botnet], Kindsight Security Labs.
  • [http://resources.alcatel-lucent.com/?cid=177653 New C&C Protocol for ZeroAccess]{{Dead link|date=March 2023 |bot=InternetArchiveBot |fix-attempted=yes }}, Kindsight Security Labs.

{{Hacking in the 2010s}}

{{Botnets}}

{{Use dmy dates|date=January 2017}}

Category:Internet security

Category:Distributed computing projects

Category:Spamming

Category:Botnets

Category:Rootkits

Category:Hacking in the 2010s