HOME

TheInfoList



Click Here for Items Related To - ZeroAccess Botnet
OR:
ZeroAccess Botnet on:   [Wikipedia]   [Google]   [Amazon]

ZeroAccess is a
Trojan horse The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
computer
malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a
botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
while remaining hidden using
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
techniques.


History and propagation

The ZeroAccess botnet was discovered at least around May 2011. The ZeroAccess
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
responsible for the botnet's spread is estimated to have been present on at least 9 million systems. Estimates botnet size vary across sources; antivirus vendor
Sophos Sophos Group plc is a British based security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primari ...
estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems. The bot itself is spread through the ZeroAccess
rootkit A rootkit is a collection of computer software, typically malicious, designed to enable access to a computer or an area of its software that is not otherwise allowed (for example, to an unauthorized user) and often masks its existence or the exis ...
through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a
keygen A key generator (key-gen) is a computer program that generates a product licensing key, such as a serial number, necessary to activate for use of a software application. Keygens may be legitimately distributed by software manufacturers for lic ...
). A second attack vector utilizes an
advertising network An online advertising network or ad network is a company that connects advertisers to websites that want to host advertisements. The key function of an ad network is an aggregation of ad supply from publishers and matching it with advertiser's d ...
in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system. In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.


Operation

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations:
bitcoin mining The bitcoin network is a peer-to-peer payment network that operates on a cryptographic protocol. Users send and receive bitcoins, the units of currency, by broadcasting digitally-signed messages to the network using bitcoin cryptocurrency ...
or
click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in th ...
. Machines involved in bitcoin mining generate
bitcoin Bitcoin ( abbreviation: BTC; sign: ₿) is a decentralized digital currency that can be transferred on the peer-to-peer bitcoin network. Bitcoin transactions are verified by network nodes through cryptography and recorded in a public di ...
s for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012. The machines used for click fraud simulate clicks on website advertisements paid for on a
pay per click Pay-per-click (PPC) is an internet advertising model used to drive traffic to websites, in which an advertiser pays a publisher (typically a search engine, website owner, or a network of websites) when the ad is clicked. Pay-per-click is usually ...
basis. The estimated profit for this activity may be as high as 100,000 US dollars per day, costing advertisers $900,000 a day in fraudulent clicks. Typically, ZeroAccess infects the
Master Boot Record A master boot record (MBR) is a special type of boot sector at the very beginning of partitioned computer mass storage devices like fixed disks or removable drives intended for use with IBM PC-compatible systems and beyond. The concept of MB ...
(MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the
operating system An operating system (OS) is system software that manages computer hardware, software resources, and provides common daemon (computing), services for computer programs. Time-sharing operating systems scheduler (computing), schedule tasks for ef ...
. It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the
TCP/IP The Internet protocol suite, commonly known as TCP/IP, is a framework for organizing the set of communication protocols used in the Internet and similar computer networks according to functional criteria. The foundational protocols in the suit ...
stack to help with the click fraud. The software also looks for the Tidserv malware and removes it if it finds it.


See also

*
Botnet A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
*
Malware Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
*
Command and control (malware) A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
*
Zombie (computer science) In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...
*
Internet crime A cybercrime is a crime that involves a computer or a computer network.Moore, R. (2005) "Cyber crime: Investigating High-Technology Computer Crime," Cleveland, Mississippi: Anderson Publishing. The computer may have been used in committing th ...
*
Internet security Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules ...
*
Click fraud Click, Klick and Klik may refer to: Airlines * Click Airways, a UAE airline * Clickair, a Spanish airline * MexicanaClick, a Mexican airline Art, entertainment, and media Fictional characters * Klick (fictional species), an alien race in th ...
*
Clickbot.A Clickbot.A is a botnet that is used for click fraud. The bot was first discovered by Swa Frantzen at SANS' Internet Storm Center in May 2006. At that time, the botnet had infected about 100 machines. The infected population grew to over 100,0 ...


References


External links


Analysis of the ZeroAccess botnet
created by
Sophos Sophos Group plc is a British based security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primari ...
.
ZeroAccess Botnet
Kindsight Security Labs.
New C&C Protocol for ZeroAccess
Kindsight Security Labs. {{Use dmy dates, date=January 2017 Internet security Multi-agent systems Distributed computing projects Spamming Botnets Rootkits Hacking in the 2010s