The security firm Symantec may have dealt a devastating blow to the cybercrimimal gang behind ZeroAccess, one of the largest known botnets in existence, removing their access to over a quarter of machines within its grasp following a special operation to liberate them, reports the IDG News Service.
Symantec says that at its height the ZeroAccess botnet consisted of over 1.9 million infected computers, which are deployed by cybercriminals in Bitcoin mining and click fraud operations to generate cash. The botnet is said to be built on peer-to-peer architecture, meaning that each machine in the network is capable of communicating with the others, relaying instructions, files and data. ZeroAccess’ operators use the mechanism for Command and Control, which makes it harder to takedown than other kinds of botnets that use dedicated command and control servers.
Or at least, they used to be harder to takedown. Recently though, Symamtec’s researchers worked out how to exploit a well-known weakness within peer-to-peer mechanisms that allowed them to begin liberating some machines from ZeroAccess. The creators of ZeroAccess quickly hit back, distributing an updated version of their malware in an attempt to address this vulnerability, only for Symantec to respond by launching what it calls a “Sinkholing operation” last July, essentially hijacking the bots from the cybercriminals in a way that prevents them from regaining control.
Symantec’s researchers detailed the operation in a blog post on Monday:
“On July 16, we began to sinkhole ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed.”
Despite the operation only lasting a few days when it was launched back in July, Symantec has only made details public now. The company said that it’s spent the last couple of months working with internet service providers (ISPs) and computer emergency response teams (CERTs) to ensure that its sinkhole is stable, and that its partners can begin cleaning infected computers to put them fully out of reach of the cybercriminals.
The Impact of ZeroAccess
During the operation Symantec also managed to gain some new insights into just how much money ZeroAccess is making for its controllers. The investigation showed that the gang were increasingly focused on Bitcoin mining, whilst revealing that it was draining around $560,000 a day in electricity usage alone.
Even so, the focus on Bitcoin mining is a bit perplexing, as ZeroAccess’s click fraud activities are shown to be far more profitable by Symantec’s calculations:
“The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day,” read the report.
One possible reason might be that the cybercriminals just view Bitcoin mining as being more secure. As F-Secure’s Mikko Hypponen suggested in the past, an infected computer used for Bitcoin mining is far less likely to have any meaningful impact on the victim other than a slight rise in their electricty bill.