Blog        Forum        Spam        Check & Secure                      
Articles > The ZeroAccess Botnet

The ZeroAccess Botnet

Overview

ZeroAccess, also known as max++ and Sirefef, is Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.

The ZeroAccess botnet was originally discovered around July 2011. Microsoft, together with Europol's European cybercrime centre, the FBI, and tech industry figures disrupted the botnet system in 2013, which the Redmond giant estimated cost advertisers $2.7 million monthly.

However, after six months of relative inactivity, the botnet is once again operating.
According to Dell SecureWorks researchers, the peer-to-peer botnet began to resurface from March 21, 2014 until July 2, 2014, and on January 15 2015, click-fraud templates are now once again being distributed to compromised systems.

Description

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors.

One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as, for example, bypassing copyright protection (a keygen).

A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself.

A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.

Impact

Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.

The ZeroAccess rootkit responsible for the botnet spread is estimated to have been present on at least 9 million systems.

While the December disruption of ZeroAccess impacted the botnet’s ability to continue its assault, it has not yet been completely dismembered. ZeroAccess does not have a central C&C, making it nearly impossible to be taken down. According to the Microsoft News Center, they “do not expect to fully eliminate ZeroAccess due to the complexity of the threat.”

What this means is that ZeroAccess could resume malicious activity at any given moment and, once again, wreak havoc on consumers and online advertisers.

ZeroAccess has the capability of disabling security software, leaving machines infected with the botnet highly vulnerable to other forms of malware. There’s no telling if the botnet operators have spent time engineering new variants of ZeroAccess. That’s why it is critical to prepare your PC in the event a more resilient variant of ZeroAccess is released into the wild.

Prevention

Since drive-by-downloads exploit vulnerabilities in outdated software, one way to prevent malware from drive-by-downloads is to ensure all of your software is up-to-date.

This includes your operating system, web browser, and other applications such as Java, Adobe Reader, and Adobe Flash. Software updates patch these vulnerabilities, so whenever there is a newer version of software you’re using, be sure to update.

When it comes to social engineering, think before you click. Files from software cracks, keygen websites, or peer-to-peer networks could be intentionally misnamed to lure you into downloading a malicious file. What may seem to be a file for the latest movie could be malware designed to give an attacker remote access to your PC.

Having reputable and up-to-date security software installed on your PC is the first step to protecting against fake antivirus software, a form of social engineering. One way to keep an eye out for fake antivirus is if a “virus alert” immediately scans then reports that your PC has a number of infected files… and then asks you “buy now” to have the malware removed.

Most of the time, simply closing the browser is all you need to do. Clicking on the fake antivirus is what could lead to malware being installed on your PC. Ultimately, this may result in theft of your personal information, so familiarize yourself with how your (real) virus scanner looks.

References

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.