Microsoft Battles ZeroAccess Botnet

Working in partnership with the FBI and Europol, Microsoft has taken aim at the ZeroAccess botnet that has been impacting Internet search engines. Microsoft claims that approximately $2.7 million a month was being lost, due to ZeroAccess-related click fraud activities on the Internet.

ZeroAccess has been active since at least 2011. Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit, told eSecurity Planet that while Microsoft has been aware of this threat for many years, it began seriously investigating the malware about four months ago.

“During that time, Microsoft studied the malware in order to find vulnerabilities so it could take action to disrupt the botnet,” he said.

After filing a civil lawsuit against the cybercriminals operating the ZeroAccess botnets, Microsoft received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the Internet Protocol (IP) addresses being used to commit the fraudulent schemes.

He said that Europol worked with Latvia, Luxembourg, Switzerland, the Netherlands and Germany to execute search warrants and seizures on computer servers associated with 18 fraudulent IP addresses located in Europe.

Microsoft also took over control of 49 domains associated with the ZeroAccess botnet, Boscovich added.

Botnet Down, but Not Out

Though ZeroAccess has been disrupted through the seizure of domain names and IP addresses, the botnet isn’t dead — yet.

Boscovich explained that ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts. It relies on a highly distributed peer-to-peer infrastructure which allows cybercriminals to remotely control the botnet from tens of thousands of different computers.

“So, unlike many botnets, ZeroAccess didn’t have a single central server controlling it,” Boscovich said. “Consequently, the criminals had the ability to use any infected computer in the botnet to distribute commands to commit crimes, making it hard to kill off.”

As it turns out, the botnet has already responded to the Microsoft-led disruption by pushing out new fraud control IPs.

“This was expected, and we are closely monitoring the situation as we continue to work with our industry and law enforcement partners to keep the pressure on those behind this threat,” Boscovich said. “Our primary objective continues to focus on the victims and cleaning the computers infected with the malware so they can no longer be used for harm.”

Cleaning infected PCs for ZeroAccess isn’t an easy task, as the botnet typically blocks user attempts at removal. Boscovich recommended that PC users visit for detailed instructions on how to remove the threat.

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.

Latest articles

XDR Emerges as a Key Next-Generation Security Tool

Corporate networks are complex, and so is the myriad of cybersecurity solutions that protect them. Trying to manage all the security tools in a...

Best Encryption Tools & Software for 2020

Enterprises can invest in state of the art threat defenses like next-gen firewalls, microsegmentation and zero trust tools, but even the very best tools...

SASE: Securing the Network Edge

Dramatic growth in Internet of Things (IoT) devices and external users have forced IT departments to move storage and processing functions closer to the...

Kaspersky vs. Bitdefender: EDR Solutions Compared

Kaspersky and Bitdefender have very good endpoint security products for both business and consumer users, so they made both our top EDR and top...

Related articles


Please enter your comment!
Please enter your name here