Europol, Microsoft Kneecap Click-Fraud Botnet
Authorities in Europe joined Microsoft Corp. this week in disrupting “ZeroAccess,” a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.
The action comes partly from Europol’s European Cybercrime Center (EC3), as well as law enforcement cybercrime units from Germany, Latvia, Switzerland and the Netherlands, countries that hosted many of the Internet servers used to control the ZeroAccess botnet.
In tandem with the law enforcement moves in Europe, Microsoft filed a civil lawsuit to unmask eight separate cybercriminals thought to be operating the giant botnet, and to block incoming and outgoing communications between infected PCs in the United States and those 18 control servers, according to a statement released by EC3.
The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”).
In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.
It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.
Specifically, ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.
The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers — including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.
For now, at least, the actual ZeroAccess P2P botnet appears to be otherwise operating normally. said Brett Stone-Gross, a security researcher with Dell SecureWorks who has studied ZeroAccess activity at length (PDF).
“The problem is that the botnet operators can still easily push a new plugin through the P2P network to restart their click fraud and search engine hijacking activities,” said Stone-Gross.
Below is a screen shot of a recent template uploaded to the machines infected with ZeroAccess; it includes information that compromised systems will need in order to carry out future click-fraud schemes.
This is the latest in a string of legal maneuvers that Microsoft attorneys have used to dismantle or disrupt botnets that target Microsoft Windows users. As with a 2011 action targeting the “Rustock” spam botnet, Microsoft in this case invoked The Lanham Act, federal statutes that prohibits trademark infringement, trademark dilution and false advertising.
Microsoft has posted an enormous amount of information about this botnet and its civil law enforcement strategy at this Web site. Stay tuned for further updates on this story.
Update, Dec. 6, 1:36 p.m. ET: According to Stone-Gross, the operators of ZeroAccess botnet last night pushed out a configuration file for distribution to the 2 million systems still infected with the bot malware. The new “z00clicker” template uploaded by the badguys temporarily brought the click fraud network back online, Stone-Gross said, but by this morning the servers were down again. “The ZeroAccess guys then pushed new configuration files/plugins with the message ‘WHITE FLAG’,” perhaps signalling that for now they do not plan to try to resuscitate the click fraud network.
Separately, Lance James, head of intelligence at Deloitte, confirmed that the new Z00clicker modules were uploaded shortly after Microsoft and Europol announced their action.