Microsoft Cripples ZeroAccess Click Fraud Botnet


Law enforcement and an industry consortium of security researchers led by Microsoft may have partially dismantled the backbone behind a notorious botnet that infected millions of PCs to help drive fraudulent clicks on Web advertisements.

Microsoft late Thursday said legal action was filed in Texas to block botnet communications to infected computers in the U.S. Meanwhile, law enforcement from Europol worked with authorities in Latvia, Luxembourg, Switzerland, the Netherlands and Germany to seize command and control servers that issued orders from the cybercriminals to the infected computers.

The botnet consisted of at least 1.9 million infected PCs that communicated through a peer-to-peer infrastructure, making it slightly more resilient to disruption than the average botnet, security experts told CRN. At any given time, 800,000 ZeroAccess connected systems were active on the Internet on any given day, Microsoft said. The Redmond, Wash., company acknowledged that the botnet would likely recover.

[Related: Blackhole Author Arrested: 10 Facts About The Automated Attack Toolkit]

"Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet," wrote Richard Domingues Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit. "However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes."

The ZeroAccess botnet operated through at least 18 different server locations containing 49 malicious domains designed to infect more systems, according to Microsoft's civil suit against the anonymous cybercriminals, filed in U.S. District Court for the Western District of Texas.

ZeroAccess, which was first identified in 2011, used a monetary pay-per-click scheme, creating a network designed to poison search engine results. Its success has threatened Google AdWords, Microsoft's BingAds and other online advertisers by gaming pay-per-click advertisements and cashing in on the fraud. Symantec took action to wipe out about 500,000 ZeroAccess infected systems last month. Some experts estimate that the botnet earned up to $1 million a day.

Microsoft and a variety of its partners have been on a sustained campaign to cripple and dismantle portions of the infrastructure that support spam campaigns, phishing attacks and malware infections. Botnets tied to tens of thousands and sometimes millions of infected PCs have been connected to websites supporting child pornography and underground hacking forums where stolen data is bought and sold and hacking services are procured. A report by Palo Alto Networks in March found at least 40 percent of the malware it was detecting was tied to the Zeus and ZeroAccess botnets. The servers supporting the malware were designed to automatically re-encode the payload to appear unique and bypass antivirus and other signature-based security defenses.

Security experts at managed security service providers told CRN that actions to take out botnets are a positive short-term step but are unlikely to stem the onslaught of malware and other threats impacting their business clients. Law enforcement action, however, could deter some young computer users from turning to automated hacking tools to conduct attacks, said Arthur Hedge, CEO of Morristown, N.J.-based managed security service provider Castle Ventures. It's difficult to measure the impact of actions to wipe out botnets and take out cybercriminal gangs, he said.

"Doing nothing would make the problem far worse," Hedge said. "As long as there's clearly malicious activity, I'm in favor of taking it out."

It's a constant game of Whac-a-Mole, said Jim O'Brian, chief information security officer at Overland Park, Kan.-based solution provider Choice Solutions. O'Brian said he often sees organizations deploy technology to combat perceived threats without doing due diligence in advance to weed out vulnerabilities and configuration errors. Combating malware infections requires increased visibility and a careful risk assessment of the environment to address weaknesses before an attacker exploits them, O'Brian said.

"If you don't know what risks are in your network, you are not going to know what you need to fix," O'Brian said in a recent interview. "If you know what is going on in your network, you can make adjustments during the year. But if you don't remain vigilant, when you're not watching is exactly when you are going to get hit."

PUBLISHED DEC. 6, 2013