Symantec disables 500,000 botnet-infected computers By Tom Espiner

Technology reporter Published duration 1 October 2013

image caption A quarter of the ZeroAccess network of zombie computers has been disabled, says Symantec.

Symantec has disabled part of one of the world's largest networks of infected computers.

About 500,000 hijacked computers have been taken out of the 1.9 million strong ZeroAccess botnet, the security company said.

The zombie computers were used for advertising and online currency fraud and to infect other machines.

Security experts warned that any benefits from the takedown might be short-lived.

The cybercriminals behind the network had not yet been identified, said Symantec.

"We've taken almost a quarter of the botnet offline," Symantec security operations manager Orla Cox told the BBC. "That's taken away a quarter of [the criminals'] earnings."

The ZeroAccess network is used to generate illegal cash through a type of advertising deception known as "click fraud".

Communications poisoned

Zombie computers are commanded to download online adverts and generate artificial mouse clicks on the ads to mimic legitimate users and generate payouts from advertisers.

The computers are also used to create an online currency called Bitcoin which can be used to pay for goods and services.

The ZeroAccess botnet is not controlled by one or two servers, but relies on waves of communications between groups of infected computers to do the bidding of the criminals.

The decentralised nature of the botnet made it difficult to act against, said Symantec.

In July, the company started poisoning the communications between the infected computers, permanently cutting them off from the rest of the hijacked network, said Ms Cox.

The company had set the ball in motion after noticing that a new version of the ZeroAccess software was being distributed through the network.

The updated version of the ZeroAccess Trojan contained modifications that made it more difficult to disrupt communications between peers in the infected network.

Symantec built its own mini-ZeroAccess botnet to study effective ways of taking down the network, and tested different takedown methods for two weeks.

The company studied the botnet and disabled the computers as part of its research operations, which feed into product development, said Ms Cox.

"Hopefully this will help us in the future to build up better protection," she said.

Internet service providers have been informed which machines were taken out of the botnet in an effort to let the owners of the computers know that their machine was a zombie.

Resilient zombies

Although a quarter of the zombie network has been taken out of action, the upgraded version of the botnet will be more difficult to take down, said Ms Cox.

"These are professional cybercriminals," she said. "They will likely be looking for ways to get back up to strength."

In the long term, the zombie network could grow back to its previous size, security experts said.

"Every time a botnet is taken down, but the people who run it are not arrested, there is a chance they can rebuild the botnet," said Vincent Hanna, a researcher for non-profit anti-spam project Spamhaus.

The remaining resilient part of the network may continue to be used for fraud, and could start spreading the upgraded ZeroAccess Trojan, Mr Hanna warned.

Taking down infected networks is a "thankless task", according to Sophos, a rival to Symantec.