Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Microsoft Fails To Nuke ZeroAccess Botnet

Attacks may be down, but 62% of the malicious infrastructure, along with the P2P communications channel, is alive and well.

The ZeroAccess botnet remains alive, despite Microsoft's Digital Crimes Unit (MDCU) last week joining forces with the FBI and Europol to scuttle the botnet.

While the group successfully deactivated some of the infrastructure used to power the botnet, it failed to compromise all of the botnet's click-fraud layer and also left the ZeroAccess peer-to-peer (P2P) control layer completely intact, according to security researchers Yacin Nadji, a PhD candidate at the Georgia Institute of Technology, and Manos Antonakakis, chief scientist at computer security firm Damballa.

As a result, Microsoft's claim that it had "successfully disrupted a dangerous botnet" appeared to be an overstatement, unless disruption is being defined as "temporary inconvenience."

[Want to help the Defense Department tighten security by playing a game? Read DARPA Crowdsources Bug-Spotting Games.]

"Approximately 62% of the infrastructure was not taken down," Nadji and Antonakakis said in a blog post. "Even without updates being sent across the P2P channel, the botnet's monetization was largely unaffected."

That monetization refers to the criminals behind ZeroAccess earning an estimated $2.7 million per month, thanks to their malware forcing infected PCs to launch clickjacking attacks that generate fake pay-per-click revenues for the botnet controllers or their clients. According to Microsoft, more than 2 million PCs around the world have been infected by the malware.

To be fair, Microsoft last week acknowledged that eradicating the botnet would be difficult. "Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a blog post Thursday that announced the takedown.

"However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes," he said.

But Nadji and Antonakakis said that with the P2P communications layer still intact, the disruption amounted to only a momentary inconvenience for the ZeroAccess botnet administrators. "Needless to say, any meaningful action against the ZA botnet must disrupt the P2P communication channel," they said. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations."

Of course, that's why whoever designed ZeroAccess added a P2P communications channel: so that C&C commands and new malware could be distributed to infected PCs without using a centralized -- and thus relatively easy to disrupt -- malicious infrastructure.

"Taking down a P2P botnet is anything but easy," said the researchers. As proof, they referenced a study on the effectiveness of P2P botnets that was presented at the 2013 IEEE Symposium on Security and Privacy, which found that many P2P botnets are far more resilient to takedown attempts than centralized botnets, because they have no single points of failure.

That said, the study did identify some different strategies that might work against some of the 11 different types of P2P botnets that they profiled, including sinkholing, which refers to disrupting the DNS names that the botnet employs to connect bots with C&C servers: "In the case of ZeroAccess, it is feasible to execute a long-term sinkholing attack against all routable peers. Since routable peers propagate sinkhole entries to non-routable peers, we expect an attack [meaning a takedown] to be successful over time."

In fact, many security companies have used sinkholing in the past, including Symantec, which in September reported that it had sinkholed 500,000 ZeroAccess bots, right before the botmaster pushed an update that would have made it much more difficult to sinkhole ZeroAccess bots. But security experts said that any setback to the botnet's operators would have been temporary, given the ease of adding more infected PCs to the botnet.

Not for the first time, Microsoft's botnet disruption -- the company has stopped describing these efforts as takedowns, given the difficulty of actually taking down a botnet -- drew criticism from other security researchers, with one paper previously rating its Operation b70 takedown effort against advanced persistent threat (APT) servers as having "little impact and in many cases allowed malicious infrastructure to continue running unperturbed." Likewise, Microsoft's takedown of a Zeus botnet that had already been sinkholed by other security researchers earned the company extensive criticism because it disrupted a source of valuable threat intelligence for other researchers.

But the moral of the story isn't that Microsoft has made some botnet takedown moves that are controversial "because they do not stop the threats nor do they place people behind bars," Nadji and Antonakakis said, but rather that the company might use its muscle -- and admired information security research chops -- in more coordinated ways.

"Simply calling out failures would be easy to do and is not productive for the broad security community," they said. "The security industry, academic researchers, and law enforcement need to come together in order to systematically and rigorously solve the problem of Internet abuse. Doing it alone is unlikely to work."

The use of cloud technology is booming, often offering the only way to meet customers', employees', and partners' rapidly rising requirements. But IT pros are rightly nervous about a lack of visibility into the security of data in the cloud. This Dark Reading report, Integrating Vulnerability Management Into The Application Development Process, puts the risk in context and offers recommendations for products and practices that can increase insight -- and enterprise security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
12/11/2013 | 6:57:57 AM
Botnet Disruptions: Worth the effort?
Are botnet disruptions overhyped? Or is anything -- however small/large -- that at least inconveniences botnet herders worth the effort?  
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.
CVE-2019-19011
PUBLISHED: 2019-11-17
MiniUPnP ngiflib 0.4 has a NULL pointer dereference in GifIndexToTrueColor in ngiflib.c via a file that lacks a palette.
CVE-2019-19010
PUBLISHED: 2019-11-16
Eval injection in the Math plugin of Limnoria (before 2019.11.09) and Supybot (through 2018-05-09) allows remote unprivileged attackers to disclose information or possibly have unspecified other impact via the calc and icalc IRC commands.