The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013. A key feature of the ZeroAccess botnet is its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet a high degree of availability and redundancy.
Sinkholing the botnet
Symantec engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed.
ZeroAccess: the courier service – Given its construction and behavior, ZeroAccess appears to be primarily designed to deliver payloads to infected computers.
In a ZeroAccess botnet, the productive activity (from an attacker’s point of view) is performed by the payloads downloaded to compromised computers, which boil down to two basic types, both aimed at revenue generating activities.
Click fraud: One type of payload we’ve seen is the click fraud Trojan. The Trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes.
Bitcoin mining: The virtual currency holds a number of attractions for cybercriminals. The way each bitcoin comes into existence is based on the carrying out of mathematical operations known as “mining” on computing hardware. This has direct value to the botmaster and a cost to unsuspecting victims; we took a closer look at the economics and impact of this activity using some old computers available in our labs.
They looked at both click fraud and bitcoin mining but focussed on the latter because it is potentially the most intensive activity undertaken by the bots and has a direct economic value to the botmaster. cost/impact is likely to be for the whole botnet.
We have also created an infographic that summarizes the key facts and figures about the ZeroAccess Trojan.