Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2015
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

ZeroAccess Click-Fraud Botnet Back In Action Again

After a six-month hiatus, the much-diminished P2P botnet is up to its old tricks.

After six months of silence, the ZeroAccess botnet -- aka Sirefet -- is back in action. Fortunately, it's operating at a smaller scale than it was a couple years ago.

Researchers at Dell SecureWorks Counter Threat Unit have discovered new activity by the once-disrupted botnet. ZeroAccess is actually two peer-to-peer botnets -- one for 32-bit Windows, one for 64-bit -- that both manipulate all major search engines and web browsers. Historically, it hijacked search results, directing users to malicious sites or fraudulently charging businesses for extra clicks on their ads.

In December 2013, Microsoft, Europol, and the FBI teamed up to disrupt ZeroAccess. At that time the botnet had infected nearly 2 million computers all over the world and was costing online advertisers upwards of $2.7 million every month.

The botnet resurfaced a few months later, and was active between March 21 and July 2. It was silent again until Jan. 15, according to SecureWorks, when infected machines began receiving URLs for click-fraud template servers controlled by attackers.

The botnet is hardly what it once was, though. Researchers say that the ZeroAccess administrators did not attempt to expand the botnet after the big disruption in December 2013. They're simply re-using whatever hosts were left.

So, instead of 2 million nodes, ZeroAccess now only has 55,000. The bulk of them are in Japan, India, and Russia. Only 2,540 are left in the United States.

“The ZeroAccess botnet is still under the control of the original actors," says Keith Jarvis, Dell SecureWorks CTU security researcher. "They haven’t moved any bots, this just happens to be the geographic distribution of the residual infected hosts still remaining in the botnet.”

From the researchers' blog post today:

    Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size. Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks. ZeroAccess does not pose the same threat as other botnets used to perpetrate banking fraud, steal login credentials and valuable data, or hold victims’ files for ransom. However, it does cause untold fraud losses for advertisers and consumes considerable resources for organizations with compromised hosts.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
1/30/2015 | 9:25:09 PM
RootKits, Bootkits, and Trojans Oh My!
ZeroAccess is a part of the Alureon (Microsoft) family of bootkit infections and otherwise known as TDSS (Kaspersky), Tidserv (Symantec).

It's very misleading for these "researchers" to make the statement:

"ZeroAccess does not pose the same threat as other botnets used to perpetrate banking fraud, steal login credentials and valuable data, or hold victims' files for ransom."

One of this ZeroAccess' primary behaviors is to download additonal payloads such as trojans. A trojan to a cyber criminal has many useful purposes, but controlling a system remotely sums it up. Here are just a few specific purposes of a trojan:

 

Keystoke Loggers

Electronic Money Theft

Data Theft

Ransomware



Once the PC is initially compromised by ZeroAccess that system is now in a state that is completely VULNERABLE to an endless array of additional attack vectors that may not even be initiated by the original attacker. Botnets are also sold, traded, leased, and compromised by other botnets.

There is simply no way of determining what their intentions are. Especially if all this network traffic is encrypted.

 

 

 

 

 

 

 

 
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-22152
PUBLISHED: 2021-05-13
A Denial of Service due to Improper Input Validation vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially to prevent any new user connections.
CVE-2021-22153
PUBLISHED: 2021-05-13
A Remote Code Execution vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially cause the spreadsheet application to run commands on the victim’s local machine with t...
CVE-2021-22154
PUBLISHED: 2021-05-13
An Information Disclosure vulnerability in the Management Console component of BlackBerry UEM version(s) 12.13.1 QF2 and earlier and 12.12.1a QF6 and earlier could allow an attacker to potentially gain access to a victim's web history.
CVE-2021-20331
PUBLISHED: 2021-05-13
Specific versions of the MongoDB C# Driver may erroneously publish events containing authentication-related data to a command listener configured by an application. The published events may contain security-sensitive data when commands such as "saslStart", "saslContinue", "i...
CVE-2021-31215
PUBLISHED: 2021-05-13
SchedMD Slurm before 20.02.7 and 20.03.x through 20.11.x before 20.11.7 allows remote code execution as SlurmUser because use of a PrologSlurmctld or EpilogSlurmctld script leads to environment mishandling.