ZeroAccess is a hugely widespread malware threat that has plagued individuals and enterprises for years. It has evolved over time to cater for new architectures and new versions of Windows.
Here at SophosLabs we have looked at previous incarnations of the ZeroAccess rootkit in depth, describing how it enslaves victim PCs, adding them to a peer-to-peer botnet which can receive commands to download further malware.
Most recently, Sophos’s researchers explored how ZeroAccess took a major shift in strategy, operating entirely in user-mode memory.
Due to the continued high profile of this malware family we felt it was necessary to examine the threat in greater detail, not only the latest version of ZeroAccess, but also the ZeroAccess botnet as a whole.
SophosLabs researchers can reveal that the current version of ZeroAccess has been installed on computers over nine million times with the current number of active infected PCs numbering around one million.
ZeroAccess uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download.
We found the IP addresses of infected machines from a total of 198 countries ranging from the tiny island nation of Kiribati to the Himalayan Kingdom of Bhutan, as can be seen when the infected machines are plotted on a world map:
The largest numbers of infected computers were found in the USA, Canada and Western Europe:
Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining.
If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day.
We have also reverse-engineered the mechanisms by which the ZeroAccess owners keep tabs on the botnet, and discovered an array of techniques used that are designed to bury the call-home network communications in legitimate-seeming traffic.
You can find out much more about ZeroAccess in our new technical paper – “The ZeroAccess Botnet – Mining and fraud for massive financial gain”.
Read: “The ZeroAccess Botnet – Mining and fraud for massive financial gain”
Snake in the shape of a zero image from Shutterstock.
14 comments on “Over 9 million PCs infected – ZeroAccess botnet uncovered”
How can I find out if my computer has been infected?
is there a way to tell if you are infected?
This is an excellent reminder as to why people must learn how to protect themselves from that type of cyber-criminal activities. It would have been nice to have a breakdown of the operating systems that infected users had on their machines. I wouldn't be surprised if none of the infected computers were using the Linux operating system.
It is interesting to see that Cuba was not affected. Goes to show that it is not always best for everyone to follow the same order. We should try and find ways to embrace individualism and different idiologies among ourselves for the greater benefit. If this was a real human virus only CUBA would have been spared.
I agree, we should think out of the box. But…
By the way, it's ideologies, not "idiologies." And no, you cannot extrapolate from a cyber virus to a biological virus. A less plausible but more interesting theory: perhaps the virus was produced in Cuba, cradle of the longest dictatorship on earth.
I work on computers in my business and have had an influx of major Zero Access infected in the last 2 months. I have to tell my customers that if they have let it go too long without acting that they will be looking at having to replace their hard drives and possibly purchasing new software, if they had a pre-loaded machine.
I too can confirm that this threat is running rampant. Lately I have been seeing 2-5 infections a week in my shop. This infection can be a royal pain to remove as well.
I try to keep my system safe by running up-to-date AV (Comodo Suite) + regular sweeps with Malwarebytes and SuperAntiSpyware. As a "oldie",surfing and emailing,how do I find out if my machine is infected?
WHAT?!?! NINE MILLION?!? THERE'S NO WAY THAT COULD BE RIGHT!!!
Minor correction: I believe the operators of ZeroAccess are paying $500 per 1000 infections rather than $500 per each infection. Nevertheless good compensation.
So far the virus I have been working on has shown no signs of resurfacing after 2 hours of working and web surfing. No redirects adds or slow down on this computer noted. Use the steps I provided and you will at least have a working computer again, and my hopes a fixed computer.
This is just the middle of the iceberg, the one who earns big on this is the ones that are smart enough to hide their virus for years. Not to mention how small a problem it actually is to hide malware/virus whatever.. The truth is, that i bet that atleast 3/4 has some kind of malware/virus on their pc, imagine that you can hide almost any malware from any AV in a matter of seconds
i iterated both the port 16464 and 16471 zeroaccess p2p nets. many xxx.254.253.254 like ip's were responded. they were not pingable. did your stat excluded those ones? i have no idea why so many that type of ip's returned.
I perform on computer systems in my company and have had an increase of significant Zero Accessibility contaminated in the last 2 several weeks. I have to tell my clients that if they have let it go a lengthy time without performing that they will be looking at having to substitute their difficult disks and probably buying new application, if they had a pre-loaded device.