Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Microsoft Fails To Nuke ZeroAccess Botnet

Attacks may be down, but 62% of the malicious infrastructure, along with the P2P communications channel, is alive and well.

The ZeroAccess botnet remains alive, despite Microsoft's Digital Crimes Unit (MDCU) last week joining forces with the FBI and Europol to scuttle the botnet.

While the group successfully deactivated some of the infrastructure used to power the botnet, it failed to compromise all of the botnet's click-fraud layer and also left the ZeroAccess peer-to-peer (P2P) control layer completely intact, according to security researchers Yacin Nadji, a PhD candidate at the Georgia Institute of Technology, and Manos Antonakakis, chief scientist at computer security firm Damballa.

As a result, Microsoft's claim that it had "successfully disrupted a dangerous botnet" appeared to be an overstatement, unless disruption is being defined as "temporary inconvenience."

[Want to help the Defense Department tighten security by playing a game? Read DARPA Crowdsources Bug-Spotting Games.]

"Approximately 62% of the infrastructure was not taken down," Nadji and Antonakakis said in a blog post. "Even without updates being sent across the P2P channel, the botnet's monetization was largely unaffected."

That monetization refers to the criminals behind ZeroAccess earning an estimated $2.7 million per month, thanks to their malware forcing infected PCs to launch clickjacking attacks that generate fake pay-per-click revenues for the botnet controllers or their clients. According to Microsoft, more than 2 million PCs around the world have been infected by the malware.

To be fair, Microsoft last week acknowledged that eradicating the botnet would be difficult. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a blog post Thursday that announced the takedown.

"However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes," he said.

But Nadji and Antonakakis said that with the P2P communications layer still intact, the disruption amounted to only a momentary inconvenience for the ZeroAccess botnet administrators. "Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel," they said. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations."

Of course, that's why whoever designed ZeroAccess added a P2P communications channel: so that C&C commands and new malware could be distributed to infected PCs without using a centralized -- and thus relatively easy to disrupt -- malicious infrastructure.

"Taking down a P2P botnet is anything but easy," said the researchers. As proof, they referenced a study on the effectiveness of P2P botnets that was presented at the 2013 IEEE Symposium on Security and Privacy, which found that many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.

That said, the study did identify some different strategies that might work against some of the 11 different types of P2P botnets that they profiled, including sinkholing, which refers to disrupting the DNS names that the botnet employs to connect bots with C&C servers: "In the case of ZeroAccess, it is feasible to execute a long-term sinkholing attack against all routable peers. Since routable peers propagate sinkhole entries to non-routable peers, we expect an attack [meaning a takedown] to be successful over time."

In fact, many security companies have used sinkholing in the past, including Symantec, which in September reported that it had sinkholed 500,000 ZeroAccess bots, right before the botmaster pushed an update that would have made it much more difficult to sinkhole ZeroAccess bots. But security experts said that any setback to the botnet's operators would have been temporary, given the ease of adding more infected PCs to the botnet.

Not for the first time, Microsoft's botnet disruption -- the company has stopped describing these efforts as takedowns, given the difficulty of actually taking down a botnet -- drew criticism from other security researchers, with one paper previously rating its Operation b70 takedown effort against advanced persistent threat (APT) servers as having "little impact and in many cases allowed malicious infrastructure to continue running unperturbed." Likewise, Microsoft's takedown of a Zeus botnet that had already been sinkholed by other security researchers earned the company extensive criticism because it disrupted a source of valuable threat intelligence for other researchers.

But the moral of the story isn't that Microsoft has made some botnet takedown moves that are controversial "because they do not stop the threats nor do they place people behind bars," Nadji and Antonakakis said, but rather that the company might use its muscle -- and admired information security research chops -- in more coordinated ways.

"Simply calling out failures would be easy to do and is not productive for the broad security community," they said. "The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse. Doing it alone is unlikely to work."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/11/2013 | 6:57:57 AM
Botnet Disruptions: Worth the effort?
Are botnet disruptions overhyped? Or is anything -- however small/large -- that at least inconveniences botnet herders worth the effort?  
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.