Microsoft and Government Agencies Disrupt ZeroAccess Botnet, But The Hoard Survives

Microsoft and partnered law enforcement agencies from the U.S. and Europe announced on Thursday that it had disrupted the botnet responsible for millions of dollars in search ad fraud. The malicious software net, called "ZeroAccess," may be down for the count, but it's not dead yet.

Microsoft said in its blog post that its Digital Crimes Unit had successfully disrupted the ZeroAccess botnet with the help of Europol's European Cybercrime Center, the FBI, and internet firm A10 Networks. This is the third time this year that Microsoft has hunted down a botnet, and the target this time is a big catch.

The ZeroAccess botnet, also known as the Sirefef botnet, has infected nearly two million computers across the globe, costing online advertisers as much as $2.7 million in fraudulent, zombie clicks on advertising. The ZeroAccess botnet takes control of computers most often by hijacking search results and sending people to malicious websites that automatically download malware into the computer, if it's unprotected. Those malicious websites can also steal personal information, and while website "drive-by-downloads" are the most common way to infect a computer with ZeroAccess, the virus can also infiltrate a computer through malware disguised as legitimate software that gets mistakenly installed by a user.

Once it hijacks a computer, that machine becomes part of a peer-to-peer web of thousands of computers, which can be directed by hackers to perform "click fraud." Click Fraud takes advantage of pay per click advertising online, sending the hijacked computers to click on advertising through software scripts, as if they're people actually interested in the ad. This generates a charge per click from the advertisers that website owners reap. Cybercriminals benefit by selling this traffic to publishers.

The ZeroAccess botnet is also dangerous for ordinary people because, once it infects a system, it takes down any protective barriers, leaving computers completely vulnerable to other viruses. Microsoft says that most computers infected with ZeroAccess are located in the U.S. and Western Europe.

Microsoft's efforts to disrupt the ZeroAccess botnet were met with some success. Microsoft filed civil lawsuits against unnamed individuals believed to be botnet operators in the U.S. District Court for the Western District of Texas. The court allowed Microsoft's Digital Crimes Unit, working with the FBI, to block internet communication between the botnet and computers in the U.S., as well as to take control of 49 domains that were being used by ZeroAccess. In Europe, computers and servers were seized that were associated with 18 ZeroAccess IP addresses, believed to be command and control servers.

But that doesn't mean the infected hoard of computers known as ZeroAccess has been eliminated. Researchers at Damballa (via Ars Technica) found that a "significant number of servers" associated with the ZeroAccess botnet were still active. Damballa estimates that as many as 62 percent of ZeroAccess's command and control infrastructure remains active and at large.

Cybersecurity expert Krebs on Security mentioned that even if all command and control servers were disrupted, the ZeroAccess botnet would likely continue unabated, because the peer to peer architecture is designed to eliminate any single point of failure. New instructions and malware can still spread from one infected computer to another.

Microsoft recognizes these facts, saying in its blog post, "Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet." However, by disrupting the botnet's operation, Microsoft hopes to damage the cybercriminals' business model and force them to rebuild their infrastructure. Publishers who have paid for clicks from the people behind ZeroAccess will also be more identifiable, due to the precipitous drop in traffic to their sites after a significant part of the botnet's infrastructure was removed.

Microsoft also hopes users will take personal precautions to protect their computers, and clean them up if they become infected. For more information on how to remove malicious botnet software, go to Microsoft's botnet support site here.