The ZeroAccess botnet is one of the largest known botnets in existence today with a population upwards of 1.9 million computers, on any given day, as observed by Symantec in August 2013. A key feature of the ZeroAccess botnet is its use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture, which gives the botnet a high degree of availability and redundancy. Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network. This way, bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently. In the ZeroAccess botnet, there is constant communication between peers. Each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.

Sinkholing the botnet

Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed. During this process, we examined a weakness that offered a difficult, but not impossible, way to sinkhole the botnet. We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster. During this time, we continued to monitor the botnet and on June 29, we noticed that a new version of ZeroAccess being distributed through the peer-to-peer network. The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed. The weakness in the ZeroAccess P2P mechanism was discussed by researchers in a report published in May 2013; this may have prompted the ZeroAccess botmaster to upgrade ZeroAccess to prevent any attempts to sinkhole the ZeroAccess botnet.

Having seen the changes beginning to roll out, and with a viable plan in place, we were faced with an option: start our operations now or risk losing the initiative. On July 16, we began to sinkhole ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed. To understand the potential impact of this, we need to consider what the ZeroAccess botnet is used for.

ZeroAccess: the courier service

Given its construction and behavior, ZeroAccess appears to be primarily designed to deliver payloads to infected computers. In a ZeroAccess botnet, the productive activity (from an attacker’s point of view) is performed by the payloads downloaded to compromised computers, which boil down to two basic types, both aimed at revenue generating activities.

Click fraud

One type of payload we’ve seen is the click fraud Trojan. The Trojan downloads online advertisements onto the computer and then generates artificial clicks on the ads as if they were generated by legitimate users. These false clicks count for pay-outs in pay-per-click (PPC) affiliate schemes

Bitcoin mining

The virtual currency holds a number of attractions for cybercriminals. The way each bitcoin comes into existence is based on the carrying out of mathematical operations known as “mining” on computing hardware. This activity has a direct value to the botmaster and a cost to unsuspecting victims; we took a closer look at the economics and impact of this activity using some old computers available in our labs.

The economics of ZeroAccess

Out of interest, we took some old hardware that we had lying around in the office to test what kind of impact the ZeroAccess botnet would have in terms of energy usage and the economics of these activities. We looked at both click fraud and bitcoin mining but focussed on the bitcoin mining because it is potentially the most intensive activity undertaken by the bots and has a direct economic value to the botmaster. We infected the test lab computers with ZeroAccess and then set them bitcoin mining, we also had a clean control computer that was just allowed to idle. We hooked the computers up to power meters to see the amount of power being consumed by the test computers. The results make for some interesting reading.