Attacks/Breaches
12/10/2013
02:40 PM
Connect Directly
RSS
E-Mail
50%
50%

Microsoft Fails To Nuke ZeroAccess Botnet

Attacks may be down, but 62% of the malicious infrastructure, along with the P2P communications channel, is alive and well.

The ZeroAccess botnet remains alive, despite Microsoft's Digital Crimes Unit (MDCU) last week joining forces with the FBI and Europol to scuttle the botnet.

While the group successfully deactivated some of the infrastructure used to power the botnet, it failed to compromise all of the botnet's click-fraud layer and also left the ZeroAccess peer-to-peer (P2P) control layer completely intact, according to security researchers Yacin Nadji, a PhD candidate at the Georgia Institute of Technology, and Manos Antonakakis, chief scientist at computer security firm Damballa.

As a result, Microsoft's claim that it had "successfully disrupted a dangerous botnet" appeared to be an overstatement, unless disruption is being defined as "temporary inconvenience."

[Want to help the Defense Department tighten security by playing a game? Read DARPA Crowdsources Bug-Spotting Games.]

"Approximately 62% of the infrastructure was not taken down," Nadji and Antonakakis said in a blog post. "Even without updates being sent across the P2P channel, the botnet's monetization was largely unaffected."

That monetization refers to the criminals behind ZeroAccess earning an estimated $2.7 million per month, thanks to their malware forcing infected PCs to launch clickjacking attacks that generate fake pay-per-click revenues for the botnet controllers or their clients. According to Microsoft, more than 2 million PCs around the world have been infected by the malware.

To be fair, Microsoft last week acknowledged that eradicating the botnet would be difficult. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a blog post Thursday that announced the takedown.

"However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes," he said.

But Nadji and Antonakakis said that with the P2P communications layer still intact, the disruption amounted to only a momentary inconvenience for the ZeroAccess botnet administrators. "Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel," they said. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations."

Of course, that's why whoever designed ZeroAccess added a P2P communications channel: so that C&C commands and new malware could be distributed to infected PCs without using a centralized -- and thus relatively easy to disrupt -- malicious infrastructure.

"Taking down a P2P botnet is anything but easy," said the researchers. As proof, they referenced a study on the effectiveness of P2P botnets that was presented at the 2013 IEEE Symposium on Security and Privacy, which found that many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.

That said, the study did identify some different strategies that might work against some of the 11 different types of P2P botnets that they profiled, including sinkholing, which refers to disrupting the DNS names that the botnet employs to connect bots with C&C servers: "In the case of ZeroAccess, it is feasible to execute a long-term sinkholing attack against all routable peers. Since routable peers propagate sinkhole entries to non-routable peers, we expect an attack [meaning a takedown] to be successful over time."

In fact, many security companies have used sinkholing in the past, including Symantec, which in September reported that it had sinkholed 500,000 ZeroAccess bots, right before the botmaster pushed an update that would have made it much more difficult to sinkhole ZeroAccess bots. But security experts said that any setback to the botnet's operators would have been temporary, given the ease of adding more infected PCs to the botnet.

Not for the first time, Microsoft's botnet disruption -- the company has stopped describing these efforts as takedowns, given the difficulty of actually taking down a botnet -- drew criticism from other security researchers, with one paper previously rating its Operation b70 takedown effort against advanced persistent threat (APT) servers as having "little impact and in many cases allowed malicious infrastructure to continue running unperturbed." Likewise, Microsoft's takedown of a Zeus botnet that had already been sinkholed by other security researchers earned the company extensive criticism because it disrupted a source of valuable threat intelligence for other researchers.

But the moral of the story isn't that Microsoft has made some botnet takedown moves that are controversial "because they do not stop the threats nor do they place people behind bars," Nadji and Antonakakis said, but rather that the company might use its muscle -- and admired information security research chops -- in more coordinated ways.

"Simply calling out failures would be easy to do and is not productive for the broad security community," they said. "The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse. Doing it alone is unlikely to work."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/11/2013 | 6:57:57 AM
Botnet Disruptions: Worth the effort?
Are botnet disruptions overhyped? Or is anything -- however small/large -- that at least inconveniences botnet herders worth the effort?  
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6335
Published: 2014-08-26
The Backup-Archive client in IBM Tivoli Storage Manager (TSM) for Space Management 5.x and 6.x before 6.2.5.3, 6.3.x before 6.3.2, 6.4.x before 6.4.2, and 7.1.x before 7.1.0.3 on Linux and AIX, and 5.x and 6.x before 6.1.5.6 on Solaris and HP-UX, does not preserve file permissions across backup and ...

CVE-2014-0480
Published: 2014-08-26
The core.urlresolvers.reverse function in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not properly validate URLs, which allows remote attackers to conduct phishing attacks via a // (slash slash) in a URL, which triggers a scheme-relative URL ...

CVE-2014-0481
Published: 2014-08-26
The default configuration for the file upload handling system in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 uses a sequential file name generation process when a file with a conflicting name is uploaded, which allows remote attackers to cause a d...

CVE-2014-0482
Published: 2014-08-26
The contrib.auth.middleware.RemoteUserMiddleware middleware in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3, when using the contrib.auth.backends.RemoteUserBackend backend, allows remote authenticated users to hijack web sessions via vectors relate...

CVE-2014-0483
Published: 2014-08-26
The administrative interface (contrib.admin) in Django before 1.4.14, 1.5.x before 1.5.9, 1.6.x before 1.6.6, and 1.7 before release candidate 3 does not check if a field represents a relationship between models, which allows remote authenticated users to obtain sensitive information via a to_field ...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.