ZeroAccess botnet

From HandWiki
Short description: Windows-platform based Trojan horse computer malware

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.[1]

History and propagation

The ZeroAccess botnet was discovered at least around May 2011.[2] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.[3] Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.[4][5]

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system.[6][7]

In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.[8]

Operation

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.[9] The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,[10][11] costing advertisers $900,000 a day in fraudulent clicks.[12] Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system.[citation needed] It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.

The software also looks for the Tidserv malware and removes it if it finds it.[1]

See also

References

  1. 1.0 1.1 "Risk Detected". https://www.broadcom.com/support/security-center/detected-writeup. 
  2. "Monthly Malware Statistics, May 2011". https://securelist.com/monthly-malware-statistics-may-2011/31991/. 
  3. Wyke, James (19 September 2012). "Over 9 million PCs infected – ZeroAccess botnet uncovered". Sophos. http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/. 
  4. Jackson Higgins, Kelly (Oct 30, 2012). "ZeroAccess Botnet Surges". Dark Reading. http://www.darkreading.com/insider-threat/167801100/security/client-security/240012561/zeroaccess-botnet-surges.html. 
  5. Kumar, Mohit (19 Sep 2012). "9 million PCs infected with ZeroAccess botnet". The Hacker News. http://thehackernews.com/2012/09/9-million-pcs-infected-with-zeroaccess.html. 
  6. Wyke, James (4 April 2012). "The ZeroAccess rootkit". Sophos. p. 2. http://nakedsecurity.sophos.com/zeroaccess2/. 
  7. Mimoso, Michael (30 October 2012). "ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining". ThreatPost. http://threatpost.com/en_us/blogs/zeroaccess-botnet-cashing-click-fraud-and-bitcoin-mining-103012. 
  8. Gallagher, Sean (6 December 2013). "Microsoft disrupts botnet that generated $2.7M per month for operators". Ars Technica. https://arstechnica.com/security/2013/12/microsoft-disrupts-botnet-that-generated-2-7m-per-month-for-operators/. 
  9. Wyke, James. "The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain". Sophos. pp. (Page 45). https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true. 
  10. Leyden, John (24 September 2012). "Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army". The Register. https://www.theregister.co.uk/2012/09/24/zeroaccess_botnet/. 
  11. Ragan, Steve (31 October 2012). "Millions of Home Networks Infected by ZeroAccess Botnet". SecurityWeek. http://www.securityweek.com/millions-home-networks-infected-zeroaccess-botnet. 
  12. Dunn, John E. (2 November 2012). "ZeroAccess bot has infected 2 million consumers, firm calculates". Techworld. http://www.pcadvisor.co.uk/news/security/zeroaccess-bot-has-infected-2-million-consumers-firm-calculates-3408841/. 

External links



Retrieved from "https://handwiki.org/wiki/index.php?title=ZeroAccess_botnet&oldid=3013612"