After six months of silence, the ZeroAccess botnet -- aka Sirefet -- is back in action. Fortunately, it's operating at a smaller scale than it was a couple years ago.
Researchers at Dell SecureWorks Counter Threat Unit have discovered new activity by the once-disrupted botnet. ZeroAccess is actually two peer-to-peer botnets -- one for 32-bit Windows, one for 64-bit -- that both manipulate all major search engines and web browsers. Historically, it hijacked search results, directing users to malicious sites or fraudulently charging businesses for extra clicks on their ads.
In December 2013, Microsoft, Europol, and the FBI teamed up to disrupt ZeroAccess. At that time the botnet had infected nearly 2 million computers all over the world and was costing online advertisers upwards of $2.7 million every month.
The botnet resurfaced a few months later, and was active between March 21 and July 2. It was silent again until Jan. 15, according to SecureWorks, when infected machines began receiving URLs for click-fraud template servers controlled by attackers.
The botnet is hardly what it once was, though. Researchers say that the ZeroAccess administrators did not attempt to expand the botnet after the big disruption in December 2013. They're simply re-using whatever hosts were left.
So, instead of 2 million nodes, ZeroAccess now only has 55,000. The bulk of them are in Japan, India, and Russia. Only 2,540 are left in the United States.
“The ZeroAccess botnet is still under the control of the original actors," says Keith Jarvis, Dell SecureWorks CTU security researcher. "They haven’t moved any bots, this just happens to be the geographic distribution of the residual infected hosts still remaining in the botnet.”
From the researchers' blog post today: