There is a renewed attempt to disrupt the operations of the ZeroAccess botnet and Microsoft, Europol and the FBI are on the case.
ZeroAccess is the botnet responsible for infecting over two million computers, specifically targeting search results as part of a click-fraud scam Microsoft said is costing online advertisers $2.7 million a month. The botnet, which first appeared on the scene three years ago, has also seen use in hijacking compromised devices for Bitcoin mining.
The malware is one of the most robust and durable botnets in operation. Its developers built it to be able to ward off disruption efforts by relying on a peer-to-peer infrastructure that allows the bad guys to remotely control the botnet from tens of thousands of different computers. Symantec this past October took out a quarter of the compromised drones in the botnet army.
Microsoft launched a further attack this week in collaboration with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation and tech firms including A10 Networks.
“Microsoft expects that this action will significantly disrupt the botnet’s operation, and is already working with ecosystem partners around the world to notify people if their computer is infected and will be making this information available through its Cyber Threat Intelligence Program (C-TIP),” Microsoft said.
The software giant has not provided estimates of how many machines it has taken away from the control of ZeroAccess but it knows it has not eradicated it quite yet.
“Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes,” it said.
This is Microsoft’s eighth botnet takedown operation in the past three years. The attack against ZeroAccess is Microsoft’s first anti-botnet effort since it unveiled its new Cybercrime Center last month.
Reaction to Microsoft’s zombie killing efforts from the security world has been largely positive but there have been criticisms from some security researchers that Redmond’s takedown operations have caused collateral damage to honeypot networks. In particular, the sinkholing of domains associated with the Citadel botnet back in June provoked protests about disruption and criticism that it hadn’t actually killed the zombie network. Microsoft previously hijacked domains associated with the ZeuS banking Trojan, causing similar problems by trampling over researchers’ honeypots in the process.