Untouched P2P Communication Infrastructure Keeps ZeroAccess Up and Running

Microsoft’s takedown of the ZeroAccess botnet wasn’t a complete success. Experts point out that Microsoft targeted only the money-making aspects of the botnet, and that its communication protocol was untouched.

Microsoft trumpeted its disruption of the ZeroAccess peer-to-peer botnet late last week, but some experts are holding off on scheduling a celebratory ticker-tape parade.

With numerous successful takedowns of botnets with a centralized command and control infrastructure in its back pocket, Microsoft may have missed on its first crack at a P2P botnet. Security company Damballa, for one, is reporting that Microsoft targeted only the click-fraud component of the botnet and not the custom communication protocol used by ZeroAccess to distribute configuration files and new commands. Attackers, researchers say, can simply issue new configuration files to the botnet and resume operations in a relatively short amount of time.

As for the click-fraud component, Damballa researchers say that approximately 62 percent of that part of the infrastructure seems to be up and running.

“Even without updates being sent across the P2P channel, the botnet’s monetization was largely unaffected,” wrote Damballa chief scientist Manos Antonakakis and Yacin Nadji, a Ph. D. candidate at the Georgia Institute of Technology in a blog post.

Nadji told Threatpost this morning that the attackers could be up and running against shortly, needing only to acquire additional servers and domain names, then updating a text file with the new information, adding that the amount of effort required to send new configuration files is much cheaper for an attacker than rebuilding from scratch.

“If you disable the click-fraud component without disrupting the peer to peer infrastructure, the botnet masters just have to use the existing peer to peer infrastructure to send updates to say ‘Ok, don’t use this click fraud infrastructure any more, use this new one,” Nadji said. “It doesn’t eliminate the botmasters’ ability to communicate with its infected peers, so if they had asked anyone’s opinion in the security community who is familiar with this botnet, they would have been able to say this is not going to do anything.”

Peer- to-peer botnets such as ZeroAccess, Kelihos, and versions of Zeus have proven difficult to keep in check; compromised bots talk to each other rather than to a central server. Often they employ custom protocols for communication that must be decrypted before they can be analyzed. Researchers have in the past had a rough go analyzing peer to peer botnets, or even enumerating their size.

A paper released earlier this year examined these features as well as botnets’ resilience to sinkholing, injection attacks and other disruptive methods used against other botnets. According to the paper, ZeroAccess maintains its peer lists by updating them every few seconds and merging previous lists, keeping the 256 most recent peers.

ZeroAccess has been around since 2009, evolving from a platform that pushed malware to a money-making botnet. According to Microsoft and Europol, it has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month. Nadji said that taking over a peer-to-peer botnet is time consuming and difficult, largely because you’d have to not only understand the custom communication protocol and encryption being used, but then you would have to advertise yourself as a node on the network and send faulty information to other bots to slowly take it over.

“Even in this case, you would have to worry about reactive botmasters. If they’re able to see if this behavior is happening on the network, they may be able to counter it in some ways,” he said.

Microsoft teamed up with Europol’s European Cybercrime Centre (EC3), the FBI, and the application networking and security firm A10 Networks to take down ZeroAccess. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.

“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit.

Nadji hopes to see better collaboration between not only technology companies, but law enforcement and academia to combat peer to peer botnets.

“We’ve seen some good cases (Conficker) where people from people from academia, industry and law enforcement were all working together to combat a serious threat,” Nadji said. “Those are the ones most likely to be successful. With peer to peer botnets, there needs to be a lot more work in understanding how we can effectively disable these. If (ZeroAccess takedown) was a more collaborative effort, I think we would have said ‘Hey, wait a minute, we need to handle this better if we’re actually taking down this botnet.'”

Suggested articles