Microsoft and Friends Take Down ZeroAccess Botnet

Microsoft’s crusade against botnets raged on yesterday as the Redmond, Washington-based computer giant and a coalition of law enforcement agencies and Internet security companies disrupted the notorious ZeroAccess botnet.

Microsoft’s crusade against botnets raged on yesterday as the Redmond, Wash., computer giant and a coalition of law enforcement agencies and Internet security companies disrupted the notorious ZeroAccess botnet.

ZeroAccess, or Sirefef as Microsoft likes to call it, is a malware platform that targets all major browsers and search engines. It’s two primary functions are to hijack search results, redirecting users to malicious websites hosting information stealing and other malware, and to commit click-fraud. In the past, ZeroAccess has demonstrated a proclivity for Bitcoin mining as well.

Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess, which has reportedly infected some two million machines and costs online advertising firms nearly $3 million per month.

Back in the good old days (2010), a botnet take down was as simple as sink-holing the operation’s command and control server and ceasing its operations. At least in part because of this, many contemporary botnet handlers have moved to a peer-to-peer botnet architecture. This distributed botnet design means that the cybercriminals operating ZeroAccess could remotely control the botnet from tens of thousands of different infected machines. Thus, shutting ZeroAccess down required a cocktail of legal and technical measures.

Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.

“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.

Meanwhile outside the U.S., Europol shut down 18 malicious IP addresses and worked in conjunction with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures of computer servers associated with the fraudulent IP addresses.

“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3.

Microsoft and its partners realistically note that their actions against ZeroAccess are unlikely to shut the botnet down altogether. However, the legal and technological measures taken, they believe, will significantly disrupt ZeroAccess, prevent victim machines from contributing to its illicit behavior, and likely cause the botnet’s operators to rebuild.

“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” FBI Executive Assistant Director Richard McFeely said. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.