It is kind of like a reversed attack where researchers sinkholed a large amount of a P2P-based botnet before its creators were able to go in and update the bots and close down the security holes that allowed the researchers in.
“A key feature of the ZeroAccess botnet is its use of a peer-to-peer C&C communications architecture, which gives the botnet a high degree of availability and redundancy,” said researchers at Symantec said in a blog.
“Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently,” they said. “Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet.”
Nevertheless, researchers found two weaknesses in the P2P communication mechanism in June and just as they were getting ready to redirect the bots to their own servers, the botmasters began rolling out an updated version of the malware that fixed them.
Realizing their window of opportunity was shutting, the researchers thought “it’s now or never” and on July 16 began sinkholing every infected machine they managed to reach before the botmasters.
All in all, they managed to “free” some half a million of computers of the 1.9 million the botnet consisted of, and they are currently working with ISPs and CERTs around the world to help get infected computers cleaned.
The rest of the computers are still “working” — effecting click fraud and mining Bitcoins — and will have new comrades before long, as the botmasters use a Pay-Per-Install affiliate scheme to distribute the droppers.
According to some calculations made by the researchers, the botmasters are likely earning tens of millions dollars per year by operating this botnet.