A mid-year switch in communication protocol and distribution strategy is behind a spike in activity from the ZeroAccess botnet, a prolific and malicious ad click fraud network.

Researchers at Kindsight Security Lab reported today that ZeroAccess accounts for 29 percent of home network infections in the third quarter, up significantly from previous measurements, said Kevin McNamee, security architect and Kindsight Security Labs director.

“At the middle of the year it changed from a TCP-based peer-to-peer botnet to one that uses UDP,” McNamee said. “Its mechanisms for ad click fraud also changed. The people running this botnet have been more aggressive about its distribution through affiliate channels. They’re making a lot of money I would guess.”

UDP is a more robust protocol than TCP, McNamee said. He added that would make a takedown much more difficult.

Kindsight counts more than two million ZeroAccess infections on any given day and added that 600,000 of those are in the United States. More than one million of those bots are involved in ad click fraud, clicking on close to 140 million ads per day, accounting for 260 terabytes of network traffic daily.

“The actual attempted ad click fraud is around $900,000 per day,” McNamee said.

Kindsight said the botmasters own a number of sites that host pay-per-click ads and the ZeroAccess bots are programmed to click on ads hosted on these sites. The bots reach out to command and control servers for a list of ads; C&C controls which ads are clicked by which bots and when in order to beat fraud detection mechanisms.

“To enhance the realism and make the clicks look like they are from a real person, the bots are programmed to follow the ad-click through to the advertiser’s landing page through several layers of redirection, loading all the HTML, javascript and graphics components as would a regular browser,” Kindsight’s report said. The report adds that about 18 of every 140 clicks is paid out by an advertiser, which at five cents per click accounts for the $900,000 total.

The botmasters are running the Black Hole Exploit Kit on malicious sites, and using phishing or spam campaigns to lure victims. Once a user lands on a compromised site, Black Hole attempts to exploit a number of browser vectors, including Adobe Flash plug-ins or Java browser plug-ins. If successful, ZeroAccess drops for the most part either the TDSS or Alureon rootkits giving an attacker remote control of the compromised machine. The rootkits allow them to drop additional malware depending on the campaign; Zeus, DNS Changer, Flashback, Cutwail and many others are in the botmasters’ arsenal.

The attackers have also widened their lineup of contributors, known as affiliates. Affiliates can contract with the botmaster for an ID and are paid per malware installation. Once infected, the malware is programmed to check back in with command and control and provides the affiliate ID so payment can be rendered.

Kindsight’s numbers come from sensors placed on customer ISP networks. The sensors look at network traffic for signs of malware infections and either alert the ISP or can, on a per-subscription basis, alert the ISP’s customer of a problem. From July to September, Kindsight estimates 13 percent of home networks exhibit some sign of malware infection, half of that number infected with a high-level threat such as a rootkit, banking Trojan, DDoS malware, or keyloggers and other malware associated with identity theft and credential harvesting.

ZeroAccess is also involved in Bitcoin mining for a profit. Bitcoin, a virtual currency, is managed via peer-to-peer networks. Bitcoin miners perform the cryptographic calculations that verify Bitcoin transactions on the network, and they are rewarded in Bitcoin currency that can be converted to real cash. Half of ZeroAccess bots are in the Bitcoin mining pool, Kindsight said. Sophos estimated that ZeroAccess could be earning as much as $2.7 million annually via Bitcoin mining.

Categories: Hacks, Web Security