Over 9 million PCs infected - ZeroAccess botnet uncovered

Filed Under: Featured, Malware, SophosLabs

Zero. Image from ShutterstockZeroAccess is a hugely widespread malware threat that has plagued individuals and enterprises for years. It has evolved over time to cater for new architectures and new versions of Windows.

Here at SophosLabs we have looked at previous incarnations of the ZeroAccess rootkit in depth, describing how it enslaves victim PCs, adding them to a peer-to-peer botnet which can receive commands to download further malware.

Most recently, Sophos's researchers explored how ZeroAccess took a major shift in strategy, operating entirely in user-mode memory.

Due to the continued high profile of this malware family we felt it was necessary to examine the threat in greater detail, not only the latest version of ZeroAccess, but also the ZeroAccess botnet as a whole.

SophosLabs researchers can reveal that the current version of ZeroAccess has been installed on computers over nine million times with the current number of active infected PCs numbering around one million.

Total installs of ZeroAccess

ZeroAccess uses a peer-to-peer network to download plugin files which carry out various tasks designed to generate revenue for the botnet owners. Our researchers monitored this network for a period of two months to discover where in the world the peers were located and what kind of files the botnet was being instructed to download.

We found the IP addresses of infected machines from a total of 198 countries ranging from the tiny island nation of Kiribati to the Himalayan Kingdom of Bhutan, as can be seen when the infected machines are plotted on a world map:

Infected computers plotted on a world map

The largest numbers of infected computers were found in the USA, Canada and Western Europe:

Infected machines around the world

Our research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining.

If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day.

We have also reverse-engineered the mechanisms by which the ZeroAccess owners keep tabs on the botnet, and discovered an array of techniques used that are designed to bury the call-home network communications in legitimate-seeming traffic.

You can find out much more about ZeroAccess in our new technical paper - "The ZeroAccess Botnet - Mining and fraud for massive financial gain".

Read: "The ZeroAccess Botnet - Mining and fraud for massive financial gain"

Snake in the shape of a zero image from Shutterstock.

, ,

You might like

14 Responses to Over 9 million PCs infected - ZeroAccess botnet uncovered

  1. Mary Parria Hoyt · 1077 days ago

    How can I find out if my computer has been infected?

  2. JRoby · 1077 days ago

    is there a way to tell if you are infected?

  3. Carlos Jean-Gilles · 1076 days ago

    This is an excellent reminder as to why people must learn how to protect themselves from that type of cyber-criminal activities. It would have been nice to have a breakdown of the operating systems that infected users had on their machines. I wouldn't be surprised if none of the infected computers were using the Linux operating system.

  4. DavidF · 1076 days ago

    It is interesting to see that Cuba was not affected. Goes to show that it is not always best for everyone to follow the same order. We should try and find ways to embrace individualism and different idiologies among ourselves for the greater benefit. If this was a real human virus only CUBA would have been spared.

    • Ruben Misrahi · 1055 days ago

      I agree, we should think out of the box. But...

      By the way, it's ideologies, not "idiologies." And no, you cannot extrapolate from a cyber virus to a biological virus. A less plausible but more interesting theory: perhaps the virus was produced in Cuba, cradle of the longest dictatorship on earth.

  5. Gerald · 1076 days ago

    I work on computers in my business and have had an influx of major Zero Access infected in the last 2 months. I have to tell my customers that if they have let it go too long without acting that they will be looking at having to replace their hard drives and possibly purchasing new software, if they had a pre-loaded machine.

  6. Johann · 1076 days ago

    I too can confirm that this threat is running rampant. Lately I have been seeing 2-5 infections a week in my shop. This infection can be a royal pain to remove as well.

  7. Mike Bear · 1076 days ago

    I try to keep my system safe by running up-to-date AV (Comodo Suite) + regular sweeps with Malwarebytes and SuperAntiSpyware. As a "oldie",surfing and emailing,how do I find out if my machine is infected?

  8. nappa · 1075 days ago


  9. Starlight · 1071 days ago

    Minor correction: I believe the operators of ZeroAccess are paying $500 per 1000 infections rather than $500 per each infection. Nevertheless good compensation.

    Excellent paper!

  10. William Joseph · 1058 days ago

    So far the virus I have been working on has shown no signs of resurfacing after 2 hours of working and web surfing. No redirects adds or slow down on this computer noted. Use the steps I provided and you will at least have a working computer again, and my hopes a fixed computer.

  11. John miller · 1025 days ago

    This is just the middle of the iceberg, the one who earns big on this is the ones that are smart enough to hide their virus for years. Not to mention how small a problem it actually is to hide malware/virus whatever.. The truth is, that i bet that atleast 3/4 has some kind of malware/virus on their pc, imagine that you can hide almost any malware from any AV in a matter of seconds

  12. Liu ya · 946 days ago

    i iterated both the port 16464 and 16471 zeroaccess p2p nets. many xxx.254.253.254 like ip's were responded. they were not pingable. did your stat excluded those ones? i have no idea why so many that type of ip's returned.

  13. I perform on computer systems in my company and have had an increase of significant Zero Accessibility contaminated in the last 2 several weeks. I have to tell my clients that if they have let it go a lengthy time without performing that they will be looking at having to substitute their difficult disks and probably buying new application, if they had a pre-loaded device.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

James Wyke is a Senior Threat Researcher with SophosLabs UK