Microsoft is declaring the ZeroAccess botnet dead.
Two weeks after obtaining a court order to disrupt the botnet’s ability to carry out click-fraud, assistant general counsel Richard Boscovich of Microsoft’s Digital Crimes Unit said late last week that the botmasters behind ZeroAccess had abandoned ship.
Microsoft’s takedown was quickly questioned by experts who said that while Microsoft may have temporarily disrupted the criminals’ ability to carry out click-fraud, malware distribution, and other malicious activities, it did not impair the peer-to-peer botnet’s communication protocol. As expected, the attackers were able to issue new configuration commands to bots under their control and resume operations.
Boscovich, however, said Microsoft and its partners in this operation, Europol’s Cybercrime Center and Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, were able to monitor this activity, identify and track down new IP addresses used in fraud schemes under the new configuration. The German BKA led the charge in this respect less than 24 hours after the disruption began, Boscovich said.
“After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message ‘WHITE FLAG,’ which we believe symbolizes that the criminals have decided to surrender control of the botnet,” Boscovich said. “Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.”
Damballa researcher Yacin Nadji was one of the more outspoken critics of Microsoft’s approach. Today he told Threatpost he doesn’t believe the WHITE FLAG message is an indication of surrender.
“As far as we can see, the P2P communication channel is still operational. The ‘WHITE FLAG’ message simply shows that the botmasters can communicate with the infected hosts at their leisure,” Nadji said. “Given all the media attention focused on ZeroAccess now, immediately re-engaging in fraudulent activities is probably not in the botmasters’ best interest. The point remains that, until the P2P network is disrupted, the botnet can resume malicious activities at any time.”
If Microsoft is correct, ZeroAccess is one of the first peer-to-peer botnets to be shut down in such an effort. In the past, Microsoft has led efforts to squash botnets such as Kelihos and Nitol using a similar coordinated effort with U.S. and international law enforcement. Those botnets, however, worked off of a centralized and command and control infrastructure and the good guys were able to key in on a relatively small number of command servers.
Communication in a peer-to-peer botnet, however, is much different. Usually, attackers write a custom protocol that supports communication between bots; through this channel, updates and configuration changes are shared, rather than with a single point of failure. Researchers in the past have had a difficult time enumerating peer-to-peer botnets, much less taking them down. A research report presented earlier this year said P2P botnets were resilient to sinkholing and other research and takedown methods. ZeroAccess, according to the paper, updated its peer lists automatically every few seconds and would communicate only through the 256 most recent peers.
“P2P networks are more complex to design, implement, and maintain than a centralized infrastructure and they may still be vulnerable to attacks,” said Dr. Brett Stone-Gross, a senior security researcher with Dell SecureWorks and one of the paper’s authors. “There are also ways to harden a centralized botnet to make it more resilient to takedown efforts, so P2P may not be worth the additional effort.”
Stone-Gross said at the time of the ZeroAccess disruptions that there were advantages and disadvantages to Microsoft’s approach, and that click-fraud operations could be quickly restarted or repurposed.
“It is very easy for the attackers to restore click-fraud capabilities,” he said. “They can simply push new click-fraud modules (or other types of malware) and configuration files through the P2P network whenever they choose.”
Microsoft, the EC3, FBI, and the application networking and security firm A10 Networks cooperated on the disruption of ZeroAccess, reported on Dec. 6. Microsoft filed a lawsuit against the botnet’s operators, and a Texas district court granted the tech giant permission to block incoming and outgoing traffic to 18 IP addresses found to be involved in the scam. Microsoft was also able to wrest control of 49 domains associated with ZeroAccess.
Statistics from Microsoft and Europol estimate there were nearly two million compromised computers at the disposal of the ZeroAccess botmaster, who was collecting close to $3 million monthly in fraudulent advertising.
