Symantec Attacks ZeroAccess Botnet
October 1, 2013

Symantec Reclaims 500K Computers From ZeroAccess Botnet Army

Peter Suciu for – Your Universe Online

Computer security firm Symantec dealt a blow to cybercriminals this week as the firm disabled one of the world’s largest networks of infected computers. About 500,000 hijacked computers were taken out of the 1.9 million or so ZeroAccess botnet the company reported on Monday.

These so-called “zombie” computers were used for advertising and online currency fraud as well as to infect other machines. These computers are used to perform click fraud and Bitcoin mining as a way to generate revenues estimated at tens of millions of dollars per year.

ZeroAccess is a notorious form of botnet as it utilizes peer-to-peer architecture that allows every infected computer to relay files, instructions and information to other computers. This mechanism provides its operators with command and control (C&C) functionality, which makes this particular botnet more resilient to takedown attempts.

“The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013,” Symantec posted on Monday on its official blog.

“A key feature of the ZeroAccess botnet is its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet a high degree of availability and redundancy. Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet.”

“Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network,” the blog post explained. “This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently."

"In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.”

While the security firm had discovered a practical way to liberate ZeroAccss bots from botmasters last year, in June the creators of the malware distributed a new version that addressed the flaw.

Symantec then launched a sinkhole operation in July. This operation involved hijacking the bots in a way that would prevent attackers from regaining control of them. This operation, which took only a few days, resulted in the detachment of more than half a million bots and reportedly made a serious dent in the number of bots controlled by the botmaster Symantec noted.

Symantec has worked to make sure that its sinkhole is stable and has since shared data with ISPs and computer emergency response teams (CERTs) so that the process of identifying and cleaning the infected computers can continue.

As noted, this particular botnet was involved in Bitcoin mining activity, which uses computational power to generate the virtual Bitcoin currency. Botnet mining has the potential to diminish the value of Bitcoins.

There is still concern that the ZeroAccess botnet could be rebuild and even grow.

“Every time a botnet is taken down, but the people who run it are not arrested, there is a chance they can rebuild the botnet,” Vincent Hanna, a researcher for non-profit anti-spam project Spamhaus told the BBC.