ZeroAccess click fraud botnet coughs back to life


ZeroAccessThe infamous ZeroAccess botnet is back in the news again.

For the second time since December 2013, when it took a serious hiding from Microsoft’s Digital Crimes Unit and its partners in industry and law enforcement, the much-reduced click fraud network has coughed back into life.

The once-mighty botnet is now only a shadow of its former self though, and the takedown efforts of a little over a year ago seem to have had a serious and long-lasting effect on  the network and its operators.

The number of IP addresses involved in the network is now a fraction of its peak and doesn’t appear to be growing.

Around 50,000 computers are currently co-opted into the illegal network, which puts it into unremarkable, botnet journeyman territory.

That is a sobering thought.

It’s the history of ZeroAccess, and its historic size, that makes it newsworthy – under normal circumstances a botnet committing fraud using the stolen resources of tens of thousands of people does not stand it apart from the crowd.

Botnets are large, all-purpose collections of computers under the control of criminals.

The computers that make up the botnet – from servers, desktop PCs and in some cases even phones – are recruited in secret using malicious software.

Once they’re part of a botnet computers can be tasked with a range of activities, most commonly sending out huge volumes of spam and malware.

A principle focus for ZeroAccess was click fraud – the act of making money illegally by clicking on your own PPC (Pay Per Click) adverts.

Like any advertising, PPC is a way for companies to market themselves and drive traffic.

Advertisers reward websites that host their ads with a small fee every time an ad is clicked. All clicks are not equal though – that click is is supposed to be a potential customer; a real person, clicking deliberately.

If you can get the computers in a botnet to click on your own ads without giving themselves away as computers, or if you can get the computers’ owners to click on ads unwittingly, you can make money by taking those rewards fraudulently (using resources acquired illegally.)

At its height the ZeroAccess botnet had roped in millions of victims and was costing online advertisers an estimated $2.7 million USD per month.

It also proved to be very resistant to efforts to disrupt it.

That resilience came, in part at least, from the fact that it’s a P2P (Peer-to-Peer) network. In a P2P network any one computer can get what it needs from any other computer – they’re all equally important and equally disposable.

The owners of ZeroAccess would seed malware plugins into the botnet and disseminate them to all the computers in the network, peer-to-peer.

The takedown efforts of December 2013 focussed on the plugins rather than the peers – individual plugins relied on servers that could be blocked.

Each time a new server address appeared on the network that server was made inoperable as quickly as possible.

Eventually the hydra couldn’t generate new heads fast enough and the malware authors raised the white flag (almost literally.)

White flagAfter the white flag was raised the botnet became dormant for a few months before coming back to life in March 2014, much reduced.

It entered hiatus again a few months later.

James Wyke, a Senior Threat Researcher with SophosLabs, explained that the network has been limping along since.

...the botnet hasn't grown ever since law enforcement action took out vast swathes of it.

Our statistics show this ... we've seen barely any new droppers since.

The botnet should reduce in size over time because computers that leave are not replaced. Computers leave when they’re retired or if they’re cleaned up with anti-virus software.

According to Wyke, that’s happening very slowly.

...there does appear to be an amount of infected machines still in the botnet that are never getting cleaned up, and these have been receiving plugins through the p2p network for quite some time.

[the ZeroAccess operators] are just relying on the same machines staying infected perpetually.

...there are a considerable number of infected machines still in the botnet and their owners simply don't realise they are infected.

ZeroAccess might be unremarkable now but it still has tens of thousands of victims whose computers are not their own.

And of course even if we aren’t direct participants we’re all victims of the effects of botnets like ZeroAccess.

On 10 February it’s Safer Internet Day and this year’s theme is “let’s create a better internet together”. A great way to celebrate that idea would be to rid the internet of the ZeroAccess by cleaning up its rear guard – something we can do by taking responsibility for the security of our friends and family’s computers.

For an in-depth look at ZeroAccess, read SophosLabs’ detailed report: The ZeroAccess Botnet – Mining and fraud for massive financial gain

Learn more about botnets

Listen to our Techknow podcast entitled Understanding botnets.

(Audio player above not working for you? Download to listen offline, or listen on Soundcloud.)