Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/29/2015
01:30 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

ZeroAccess Click-Fraud Botnet Back In Action Again

After a six-month hiatus, the much-diminished P2P botnet is up to its old tricks.

After six months of silence, the ZeroAccess botnet -- aka Sirefet -- is back in action. Fortunately, it's operating at a smaller scale than it was a couple years ago.

Researchers at Dell SecureWorks Counter Threat Unit have discovered new activity by the once-disrupted botnet. ZeroAccess is actually two peer-to-peer botnets -- one for 32-bit Windows, one for 64-bit -- that both manipulate all major search engines and web browsers. Historically, it hijacked search results, directing users to malicious sites or fraudulently charging businesses for extra clicks on their ads.

In December 2013, Microsoft, Europol, and the FBI teamed up to disrupt ZeroAccess. At that time the botnet had infected nearly 2 million computers all over the world and was costing online advertisers upwards of $2.7 million every month.

The botnet resurfaced a few months later, and was active between March 21 and July 2. It was silent again until Jan. 15, according to SecureWorks, when infected machines began receiving URLs for click-fraud template servers controlled by attackers.

The botnet is hardly what it once was, though. Researchers say that the ZeroAccess administrators did not attempt to expand the botnet after the big disruption in December 2013. They're simply re-using whatever hosts were left.

So, instead of 2 million nodes, ZeroAccess now only has 55,000. The bulk of them are in Japan, India, and Russia. Only 2,540 are left in the United States.

“The ZeroAccess botnet is still under the control of the original actors," says Keith Jarvis, Dell SecureWorks CTU security researcher. "They haven’t moved any bots, this just happens to be the geographic distribution of the residual infected hosts still remaining in the botnet.”

From the researchers' blog post today:

    Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size. Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks. ZeroAccess does not pose the same threat as other botnets used to perpetrate banking fraud, steal login credentials and valuable data, or hold victims’ files for ransom. However, it does cause untold fraud losses for advertisers and consumes considerable resources for organizations with compromised hosts.
Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
1/30/2015 | 9:25:09 PM
RootKits, Bootkits, and Trojans Oh My!
ZeroAccess is a part of the Alureon (Microsoft) family of bootkit infections and otherwise known as TDSS (Kaspersky), Tidserv (Symantec).

It's very misleading for these "researchers" to make the statement:

"ZeroAccess does not pose the same threat as other botnets used to perpetrate banking fraud, steal login credentials and valuable data, or hold victims' files for ransom."

One of this ZeroAccess' primary behaviors is to download additonal payloads such as trojans. A trojan to a cyber criminal has many useful purposes, but controlling a system remotely sums it up. Here are just a few specific purposes of a trojan:

 

Keystoke Loggers

Electronic Money Theft

Data Theft

Ransomware



Once the PC is initially compromised by ZeroAccess that system is now in a state that is completely VULNERABLE to an endless array of additional attack vectors that may not even be initiated by the original attacker. Botnets are also sold, traded, leased, and compromised by other botnets.

There is simply no way of determining what their intentions are. Especially if all this network traffic is encrypted.

 

 

 

 

 

 

 

 
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14994
PUBLISHED: 2019-09-19
The Customer Context Filter in Atlassian Jira Service Desk Server and Jira Service Desk Data Center before version 3.9.16, from version 3.10.0 before version 3.16.8, from version 4.0.0 before version 4.1.3, from version 4.2.0 before version 4.2.5, from version 4.3.0 before version 4.3.4, and version...
CVE-2019-15000
PUBLISHED: 2019-09-19
The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 (the fixed version for 5.16.x ), from 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from 6.3.0 before 6....
CVE-2019-15001
PUBLISHED: 2019-09-19
The Jira Importers Plugin in Atlassian Jira Server and Data Cente from version with 7.0.10 before 7.6.16, from 7.7.0 before 7.13.8, from 8.1.0 before 8.1.3, from 8.2.0 before 8.2.5, from 8.3.0 before 8.3.4 and from 8.4.0 before 8.4.1 allows remote attackers with Administrator permissions to gain rem...
CVE-2019-16398
PUBLISHED: 2019-09-19
On Keeper K5 20.1.0.25 and 20.1.0.63 devices, remote code execution can occur by inserting an SD card containing a file named zskj_script_run.sh that executes a reverse shell.
CVE-2019-11779
PUBLISHED: 2019-09-19
In Eclipse Mosquitto 1.5.0 to 1.6.5 inclusive, if a malicious MQTT client sends a SUBSCRIBE packet containing a topic that consists of approximately 65400 or more '/' characters, i.e. the topic hierarchy separator, then a stack overflow will occur.