Microsoft leads transatlantic attack on ZeroAccess botnet

News by Tim Ring

Microsoft, the European Cybercrime Centre, the FBI and other agencies disrupt ZeroAccess botnet.

Microsoft has teamed up with the European Cybercrime Centre (EC3), America's FBI and other government agencies in a transatlantic sting operation to severely disrupt the highly virulent ZeroAccess botnet, which is thought to be responsible for infecting over 2 million computers worldwide.

ZeroAccess is a peer-to-peer infection that targets Google, Bing and Yahoo search engine users. It hijacks their searches and redirects them to websites that could install malware on their computer, steal their personal data or generate fraudulent advert clicks in order to claim payouts from advertisers. Microsoft estimates it costs online advertisers around US$ 2.7 million (£1.65 million) each month.

Working through its newly opened US-based Digital Crimes Unit, Microsoft filed a civil suit against the cyber criminals operating ZeroAccess, and simultaneously blocked their command and control servers. The company was also authorised by a Texas District Court to halt communications between the criminals' main US-based computers and 18 identified Internet Protocol (IP) addresses being used to commit the fraud. It also took control of 49 domains associated with ZeroAccess.

At the same time, EC3 co-ordinated police raids targeting 18 IP addresses in Europe, while police cyber crime units in Germany, Latvia, Luxembourg, Switzerland and The Netherlands executed search warrants and seized computers associated with the IP addresses.

Technical help was also provided by networking and security solutions provider A10 Networks.

The agencies involved believe they have “severely disrupted” but not halted the use of ZeroAccess, also known as Sirefef, as a result.

Richard Domingues Boscovich, assistant general counsel with the Microsoft Digital Crimes Unit, said in a December 5 blog post: “Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet's operation by disrupting the cybercriminals' business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims' computers from committing the fraudulent schemes.”

But Ian Shaw, managing director of UK-based security consultancy MWR InfoSecurity, sounded a note of further caution. He told that ZeroAccess has been around since 2009 – and will be back.

“It was designed to be more virulent and to defend against that kind of attack,” he told us. “Typically it uses peer-to-peer networking and that's always going to make it a challenge to take it down. I should imagine it will continue for quite a while.

“There are big implications for security professionals - specifically in organisations where they allow users' own PCs to connect to corporate networks; potentially that comprises those corporate networks.”

The bringing-your-own-device (BYOD) trend of users bringing laptops to work or using their own device to connect to the company network brings the main vulnerability, he said.

“While these botnets aren't really threatening corporate networks primarily, the fact it's providing a vulnerability to that network should be of concern to security professionals. They should be looking to educate their users or taking a more technical approach, looking for infected PCs.”

Shaw also suggested users should be educated to look for suspicious search results.

“Are you seeing yourself continually directed to certain domains, or perhaps on some search results you're getting a lot of attempted pop-ups - generally being hit a lot harder with advertising than you'd expect to be and then perhaps being redirected to sites you hadn't really planned on visiting?”

Shaw said Microsoft and other vendors offer simple clean-up tools that are freely available, while Boscovich recommended that people visit for instructions on how to remove the threat.

Boscovich added: “Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible.”

He said Microsoft is also working with partners to notify people if their computer is infected, and making this information available through its Cyber Threat Intelligence Programme (C-TIP).

The company's Digital Crimes Unit opened on November 14 and is staffed by nearly 100 lawyers, investigators and forensic analysts both in the US and worldwide. They have expertise in malware, botnets, IP crimes and technology-facilitated child exploitation. Microsoft has been involved in actions against eight botnets in the past three years.

EC3 is based in The Hague, Netherlands and is part of the Europol European police agency.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews