02:40 PM

Microsoft Fails To Nuke ZeroAccess Botnet

Attacks may be down, but 62% of the malicious infrastructure, along with the P2P communications channel, is alive and well.

The ZeroAccess botnet remains alive, despite Microsoft's Digital Crimes Unit (MDCU) last week joining forces with the FBI and Europol to scuttle the botnet.

While the group successfully deactivated some of the infrastructure used to power the botnet, it failed to compromise all of the botnet's click-fraud layer and also left the ZeroAccess peer-to-peer (P2P) control layer completely intact, according to security researchers Yacin Nadji, a PhD candidate at the Georgia Institute of Technology, and Manos Antonakakis, chief scientist at computer security firm Damballa.

As a result, Microsoft's claim that it had "successfully disrupted a dangerous botnet" appeared to be an overstatement, unless disruption is being defined as "temporary inconvenience."

[Want to help the Defense Department tighten security by playing a game? Read DARPA Crowdsources Bug-Spotting Games.]

"Approximately 62% of the infrastructure was not taken down," Nadji and Antonakakis said in a blog post. "Even without updates being sent across the P2P channel, the botnet's monetization was largely unaffected."

That monetization refers to the criminals behind ZeroAccess earning an estimated $2.7 million per month, thanks to their malware forcing infected PCs to launch clickjacking attacks that generate fake pay-per-click revenues for the botnet controllers or their clients. According to Microsoft, more than 2 million PCs around the world have been infected by the malware.

To be fair, Microsoft last week acknowledged that eradicating the botnet would be difficult. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a blog post Thursday that announced the takedown.

"However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes," he said.

But Nadji and Antonakakis said that with the P2P communications layer still intact, the disruption amounted to only a momentary inconvenience for the ZeroAccess botnet administrators. "Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel," they said. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations."

Of course, that's why whoever designed ZeroAccess added a P2P communications channel: so that C&C commands and new malware could be distributed to infected PCs without using a centralized -- and thus relatively easy to disrupt -- malicious infrastructure.

"Taking down a P2P botnet is anything but easy," said the researchers. As proof, they referenced a study on the effectiveness of P2P botnets that was presented at the 2013 IEEE Symposium on Security and Privacy, which found that many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.

That said, the study did identify some different strategies that might work against some of the 11 different types of P2P botnets that they profiled, including sinkholing, which refers to disrupting the DNS names that the botnet employs to connect bots with C&C servers: "In the case of ZeroAccess, it is feasible to execute a long-term sinkholing attack against all routable peers. Since routable peers propagate sinkhole entries to non-routable peers, we expect an attack [meaning a takedown] to be successful over time."

In fact, many security companies have used sinkholing in the past, including Symantec, which in September reported that it had sinkholed 500,000 ZeroAccess bots, right before the botmaster pushed an update that would have made it much more difficult to sinkhole ZeroAccess bots. But security experts said that any setback to the botnet's operators would have been temporary, given the ease of adding more infected PCs to the botnet.

Not for the first time, Microsoft's botnet disruption -- the company has stopped describing these efforts as takedowns, given the difficulty of actually taking down a botnet -- drew criticism from other security researchers, with one paper previously rating its Operation b70 takedown effort against advanced persistent threat (APT) servers as having "little impact and in many cases allowed malicious infrastructure to continue running unperturbed." Likewise, Microsoft's takedown of a Zeus botnet that had already been sinkholed by other security researchers earned the company extensive criticism because it disrupted a source of valuable threat intelligence for other researchers.

But the moral of the story isn't that Microsoft has made some botnet takedown moves that are controversial "because they do not stop the threats nor do they place people behind bars," Nadji and Antonakakis said, but rather that the company might use its muscle -- and admired information security research chops -- in more coordinated ways.

"Simply calling out failures would be easy to do and is not productive for the broad security community," they said. "The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse. Doing it alone is unlikely to work."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
12/11/2013 | 6:57:57 AM
Botnet Disruptions: Worth the effort?
Are botnet disruptions overhyped? Or is anything -- however small/large -- that at least inconveniences botnet herders worth the effort?  
Register for Dark Reading Newsletters
White Papers
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.