ZeroAccess botnet

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.^[1]

The ZeroAccess botnet was discovered at least around May 2011.^[2] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.^[3] Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.^[4][5]

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system.^[6][7]

In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.^[8]

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.^[9] The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,^[10][11] costing advertisers $900,000 a day in fraudulent clicks.^[12] Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system.^{[citation needed]} It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.

The software also looks for the Tidserv malware and removes it if it finds it.^[1]

• Botnet
• Malware
• Command and control (malware)
• Zombie (computer science)
• Internet crime
• Internet security
• Click fraud
• Clickbot.A

• Analysis of the ZeroAccess botnet, created by Sophos.
• ZeroAccess Botnet, Kindsight Security Labs.
• New C&C Protocol for ZeroAccess^{[permanent dead link]}, Kindsight Security Labs.