Microsoft Battles ZeroAccess Botnet
Microsoft and its partners in law enforcement aim to disrupt the ZeroAccess botnet, one of the most robust botnets in operation today.
Working in partnership with the FBI and Europol, Microsoft has taken aim at the ZeroAccess botnet that has been impacting Internet search engines. Microsoft claims that approximately $2.7 million a month was being lost, due to ZeroAccess-related click fraud activities on the Internet.
ZeroAccess has been active since at least 2011. Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit, told eSecurity Planet that while Microsoft has been aware of this threat for many years, it began seriously investigating the malware about four months ago.
"During that time, Microsoft studied the malware in order to find vulnerabilities so it could take action to disrupt the botnet," he said.
After filing a civil lawsuit against the cybercriminals operating the ZeroAccess botnets, Microsoft received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the Internet Protocol (IP) addresses being used to commit the fraudulent schemes.
He said that Europol worked with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures on computer servers associated with 18 fraudulent IP addresses located in Europe.
Microsoft also took over control of 49 domains associated with the ZeroAccess botnet, Boscovich added.
Botnet Down, but Not Out
Though ZeroAccess has been disrupted through the seizure of domain names and IP addresses, the botnet isn't dead -- yet.
Boscovich explained that ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts. It relies on a highly distributed peer-to-peer infrastructure which allows cybercriminals to remotely control the botnet from tens of thousands of different computers.
"So, unlike many botnets, ZeroAccess didn’t have a single central server controlling it," Boscovich said. "Consequently, the criminals had the ability to use any infected computer in the botnet to distribute commands to commit crimes, making it hard to kill off."
As it turns out, the botnet has already responded to the Microsoft-led disruption by pushing out new fraud control IPs.
"This was expected, and we are closely monitoring the situation as we continue to work with our industry and law enforcement partners to keep the pressure on those behind this threat," Boscovich said. "Our primary objective continues to focus on the victims and cleaning the computers infected with the malware so they can no longer be used for harm."
Cleaning infected PCs for ZeroAccess isn't an easy task, as the botnet typically blocks user attempts at removal. Boscovich recommended that PC users visit http://support.microsoft.com/botnets for detailed instructions on how to remove the threat.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.