Europol, Microsoft Kneecap Click-Fraud Botnet
Authorities in Europe joined Microsoft Corp. this week in disrupting “ZeroAccess,” a vast botnet that has enslaved more than two million PCs with malicious software in an elaborate and lucrative scheme to defraud online advertisers.
The action comes partly from Europol’s European Cybercrime Center (EC3), as well as law enforcement cybercrime units from Germany, Latvia, Switzerland and the Netherlands, countries that hosted many of the Internet servers used to control the ZeroAccess botnet.
In tandem with the law enforcement moves in Europe, Microsoft filed a civil lawsuit to unmask eight separate cybercriminals thought to be operating the giant botnet, and to block incoming and outgoing communications between infected PCs in the United States and those 18 control servers, according to a statement released by EC3.
The malware the powers the botnet, also known as “ZAccess” and “Sirefef,” is a complex threat that has evolved significantly since its inception in 2009. It began as a malware delivery platform that was used to spread other threats, such as fake antivirus software (a.k.a. “scareware”).
In recent years, however, the miscreants behind ZeroAccess rearchitected the botnet so that infected systems were forced to perpetrate a moneymaking scheme known as “click fraud” — the practice of fraudulently generating clicks on ads without any intention of fruitfully interacting with the advertiser’s site.
It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.
Specifically, ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.
The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers — including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.
For now, at least, the actual ZeroAccess P2P botnet appears to be otherwise operating normally. said Brett Stone-Gross, a security researcher with Dell SecureWorks who has studied ZeroAccess activity at length (PDF).
“The problem is that the botnet operators can still easily push a new plugin through the P2P network to restart their click fraud and search engine hijacking activities,” said Stone-Gross.
Below is a screen shot of a recent template uploaded to the machines infected with ZeroAccess; it includes information that compromised systems will need in order to carry out future click-fraud schemes.
This is the latest in a string of legal maneuvers that Microsoft attorneys have used to dismantle or disrupt botnets that target Microsoft Windows users. As with a 2011 action targeting the “Rustock” spam botnet, Microsoft in this case invoked The Lanham Act, federal statutes that prohibits trademark infringement, trademark dilution and false advertising.
Microsoft has posted an enormous amount of information about this botnet and its civil law enforcement strategy at this Web site. Stay tuned for further updates on this story.
Update, Dec. 6, 1:36 p.m. ET: According to Stone-Gross, the operators of ZeroAccess botnet last night pushed out a configuration file for distribution to the 2 million systems still infected with the bot malware. The new “z00clicker” template uploaded by the badguys temporarily brought the click fraud network back online, Stone-Gross said, but by this morning the servers were down again. “The ZeroAccess guys then pushed new configuration files/plugins with the message ‘WHITE FLAG’,” perhaps signalling that for now they do not plan to try to resuscitate the click fraud network.
Separately, Lance James, head of intelligence at Deloitte, confirmed that the new Z00clicker modules were uploaded shortly after Microsoft and Europol announced their action.
- Microsoft, Symantec Hijack ‘Bamital’ Botnet
Microsoft and Symantec said Wednesday that have teamed up to seize control over the “Bamital” botnet, a multi-million dollar crime machine that used malicious software to hijack search results. The two companies are now using that control to alert hundreds of thousands of users whose PCs remain infected with the malware.
- Polish Takedown Targets ‘Virut’ Botnet
Security experts in Poland on Thursday quietly seized domains used to control the “Virut” botnet, a huge army of hacked PCs that is custom-built to be rented out to cybercriminals.
- Microsoft Disrupts ‘Nitol’ Botnet in Piracy Sweep
Microsoft said Thursday that it convinced a U.S. federal court to grant it control over a botnet believed to be closely linked to counterfeit versions Windows that were sold in various computer stores across China. The legal victory also highlights a Chinese Internet service that experts say has long been associated with targeted, espionage attacks against U.S. and European corporations.
- Microsoft to Botmasters: Abandon Your Inboxes
If the miscreants behind the ZeuS botnets that Microsoft sought to destroy with a civil lawsuit last month didn’t already know that the software giant also wished to unmask them, they almost certainly do now. Google, and perhaps other email providers, recently began notifying the alleged botmasters that Microsoft was requesting their personal details.