Attacks/Breaches
12/10/2013
02:40 PM
50%
50%

Microsoft Fails To Nuke ZeroAccess Botnet

Attacks may be down, but 62% of the malicious infrastructure, along with the P2P communications channel, is alive and well.

The ZeroAccess botnet remains alive, despite Microsoft's Digital Crimes Unit (MDCU) last week joining forces with the FBI and Europol to scuttle the botnet.

While the group successfully deactivated some of the infrastructure used to power the botnet, it failed to compromise all of the botnet's click-fraud layer and also left the ZeroAccess peer-to-peer (P2P) control layer completely intact, according to security researchers Yacin Nadji, a PhD candidate at the Georgia Institute of Technology, and Manos Antonakakis, chief scientist at computer security firm Damballa.

As a result, Microsoft's claim that it had "successfully disrupted a dangerous botnet" appeared to be an overstatement, unless disruption is being defined as "temporary inconvenience."

[Want to help the Defense Department tighten security by playing a game? Read DARPA Crowdsources Bug-Spotting Games.]

"Approximately 62% of the infrastructure was not taken down," Nadji and Antonakakis said in a blog post. "Even without updates being sent across the P2P channel, the botnet's monetization was largely unaffected."

That monetization refers to the criminals behind ZeroAccess earning an estimated $2.7 million per month, thanks to their malware forcing infected PCs to launch clickjacking attacks that generate fake pay-per-click revenues for the botnet controllers or their clients. According to Microsoft, more than 2 million PCs around the world have been infected by the malware.

To be fair, Microsoft last week acknowledged that eradicating the botnet would be difficult. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a blog post Thursday that announced the takedown.

"However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes," he said.

But Nadji and Antonakakis said that with the P2P communications layer still intact, the disruption amounted to only a momentary inconvenience for the ZeroAccess botnet administrators. "Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel," they said. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations."

Of course, that's why whoever designed ZeroAccess added a P2P communications channel: so that C&C commands and new malware could be distributed to infected PCs without using a centralized -- and thus relatively easy to disrupt -- malicious infrastructure.

"Taking down a P2P botnet is anything but easy," said the researchers. As proof, they referenced a study on the effectiveness of P2P botnets that was presented at the 2013 IEEE Symposium on Security and Privacy, which found that many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.

That said, the study did identify some different strategies that might work against some of the 11 different types of P2P botnets that they profiled, including sinkholing, which refers to disrupting the DNS names that the botnet employs to connect bots with C&C servers: "In the case of ZeroAccess, it is feasible to execute a long-term sinkholing attack against all routable peers. Since routable peers propagate sinkhole entries to non-routable peers, we expect an attack [meaning a takedown] to be successful over time."

In fact, many security companies have used sinkholing in the past, including Symantec, which in September reported that it had sinkholed 500,000 ZeroAccess bots, right before the botmaster pushed an update that would have made it much more difficult to sinkhole ZeroAccess bots. But security experts said that any setback to the botnet's operators would have been temporary, given the ease of adding more infected PCs to the botnet.

Not for the first time, Microsoft's botnet disruption -- the company has stopped describing these efforts as takedowns, given the difficulty of actually taking down a botnet -- drew criticism from other security researchers, with one paper previously rating its Operation b70 takedown effort against advanced persistent threat (APT) servers as having "little impact and in many cases allowed malicious infrastructure to continue running unperturbed." Likewise, Microsoft's takedown of a Zeus botnet that had already been sinkholed by other security researchers earned the company extensive criticism because it disrupted a source of valuable threat intelligence for other researchers.

But the moral of the story isn't that Microsoft has made some botnet takedown moves that are controversial "because they do not stop the threats nor do they place people behind bars," Nadji and Antonakakis said, but rather that the company might use its muscle -- and admired information security research chops -- in more coordinated ways.

"Simply calling out failures would be easy to do and is not productive for the broad security community," they said. "The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse. Doing it alone is unlikely to work."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/11/2013 | 6:57:57 AM
Botnet Disruptions: Worth the effort?
Are botnet disruptions overhyped? Or is anything -- however small/large -- that at least inconveniences botnet herders worth the effort?  
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8142
Published: 2014-12-20
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys w...

CVE-2013-4440
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 generates weak non-tty passwords, which makes it easier for context-dependent attackers to guess the password via a brute-force attack.

CVE-2013-4442
Published: 2014-12-19
Password Generator (aka Pwgen) before 2.07 uses weak pseudo generated numbers when /dev/urandom is unavailable, which makes it easier for context-dependent attackers to guess the numbers.

CVE-2013-7401
Published: 2014-12-19
The parse_request function in request.c in c-icap 0.2.x allows remote attackers to cause a denial of service (crash) via a URI without a " " or "?" character in an ICAP request, as demonstrated by use of the OPTIONS method.

CVE-2014-2026
Published: 2014-12-19
Cross-site scripting (XSS) vulnerability in the search functionality in United Planet Intrexx Professional before 5.2 Online Update 0905 and 6.x before 6.0 Online Update 10 allows remote attackers to inject arbitrary web script or HTML via the request parameter.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.