Microsoft and partners fight back against the ZeroAccess botnet

Microsoft announced yesterday that its Digital Crimes Unit has successfully disrupted ZeroAccess, one of the world’s largest botnets.

Microsoft Digital Crimes UnitIts action was taken in collaboration with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI) and other industry partners.

ZeroAccess, also known as the Sirefef botnet, is believed to have infected more than 9 million computers worldwide. The botnet makes its operators money through click fraud, targeting search results on Google, Yahoo and Bing and costing the online advertisers an estimated $2.7 million per month.

Victims’ computers usually fall prey to ZeroAccess either as the result of a drive-by download or from the installation of pirated software.

Once on a system it can steal the user’s personal information, generate fake clicks on web ads and hijack their web search results.

Microsoft filed a lawsuit against the botnet’s masterminds last week and secured an injunction blocking all communications between computers in the US and 18 specific IP addresses that had been identified in association with the botnet. The company also took control of 49 domains associated with ZeroAccess.

As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agencies in Germany, Latvia, Luxembourg, the Netherlands and Switzerland to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.

Troels Oerting, head of Europol’s European Cybercrime Centre, said:

This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits.

This is Microsoft’s eighth action against botnets in the last three years and the second time in six months that it has worked with law enforcement to disrupt such a high profile threat (in June of this year a collaborative effort saw the take down of over 1,000 separate botnets associated with the Citadel crimeware kit).

This latest action is especially notable though as it represents a rare instance of serious damage being done to a botnet that is controlled via a peer-to-peer system, whereby infected machines send each other instructions instead of being directed by a central server which could be targeted and disabled with much more ease.

Although this is a victory to be celebrated it does not, regrettably, mean the end of ZeroAccess.

The servers targeted in this intervention are associated with the click fraud element of the software. Taking them down will undoubtedly cause disruption and a loss of revenue to the people behind ZeroAccess but the botnet itself is still in tact.

Indeed, Microsoft and its partners recognised this by saying that it does “not expect to fully eliminate the ZeroAccess botnet due to the complexity of the threat.” The botnet busters do, however, “expect that this action will significantly disrupt the botnet’s operation.”

James Wyke, a Senior Threat Researcher from SophosLabs UK and author of a detailed technical paper on ZeroAccess, shares this view and highlights Microsoft’s legal action as the best hope for a decisive blow.

I think going after these servers is a good way to find the people responsible and take legal action against them, which is the best way to tackle the threat long term.

Just taking the servers down certainly causes the owners a lot of disruption but if this action does not lead to the identification and arrest of those individuals then they will be free to set up new servers and seed the addresses into the P2P network and ZeroAccess will live on.

Unless Microsoft or Europol can identify the ‘John Does 1-8’ mentioned in the court documents then we can expect ZeroAccess to resurface in the near future.

In the meantime though we should give praise to Microsoft and its crime busting partners for the serious blow they have landed on a difficult opponent.

If you’d like to do your bit to help rid the world of botnets like ZeroAccess then prevention is easier than cure; you can make a big difference just by doing 3 essential security tasks for your family today.