ZeroAccess Botnet Adding 100,000 New Infections Per Week, Almost 3 Million IP Addresses Reporting Infections.
Looking at the threats that targeted the Web in the first quarter of the year, Fortinet says that ZeroAccess, a botnet that mines the popular electronic currency Bitcoins, was the top problem. It wasn’t alone however, as attacks on South Korea and Adware on Android made the list.
Fortinet’s data comes from information reported by their devices worldwide. It is through these devices their claim that ZeroAccess was not only the top threat in Q1 2013, but also that it shows no sign of slowing down, is made. The activity of the botnet itself is bustling, as the controllers ship updates and commands on a weekly basis.
Normally used for click fraud, ZeroAccess was updated to serve two functions, the original and Bitcoin mining, using the processing powers of the infected host. Over the last 90-days, Fortinet says that growth of the botnet has remained consistent and they’ve tracked “a staggering 100,000 new infections per week and almost 3 million unique IP addresses reporting infections.” Estimates place the botnet’s earnings near $100,000 USD daily.
In March and into April, Mt. Gox, the largest Bitcoin Exchange in the world, battled a continued Distributed Denial of Service (DDoS) attack in an attempt to destabilize the currency and/or profit from it. Researchers have noted that ZeroAccess has a module that enables it to launch DDoS attacks, but at present, such abilities are not part of the botnet itself.
“In the first quarter of 2013, we have seen owners of the ZeroAccess botnet maintain and expand the number of bots under its control,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs.
“In the last 90 days, the owners of ZeroAccess have sent their infected hosts 20 software updates. As Bitcoin’s popularity and value increases, we may see other botnet owners attempt to utilize their botnets in similar fashions or to disrupt the Bitcoin market.”
On other threats, the massive malware attack on South Korean television networks and financial institutions in March caused wide-scale damage, wiping thousands of hard drives. Fortinet says in their report that the attackers were able to seize control of patch management systems and them to distribute malware within their targets’ networks. Cleanup and recovery continues to this day.
“During out investigation of the attacks, we discovered that a version of the wiper malware was able to infect internal security management servers and use the trusted nature of that internal server to spread infections inside the victim’s network,” said Kyle Yang, Senior Manager of Antivirus at FortiGuard Labs.
Finally, Fortinet says that two new Adware variants on the Android platform are gaining traction online. Android.NewyearL.B and Android.Plankton.B have each seen a large boost to global infections this quarter.
Both variants are embedded into various applications and have the ability to display advertisements, track users through the phone’s unique IMEI number, and modify the phone’s desktop.
“The new advertising kits we are monitoring suggest that the authors behind this are working very hard to remain undetected,” said David Maciejak, senior researcher for Fortinet’s FortiGuard Labs.
“It’s also possible that Newyear and Plankton are being written by the same author, but being maintained separately in order to generate more infections.”
Related Reading: National Journal Site Found Serving ZeroAccess Rootkit
Related Reading: ZeroAccess Most Active Botnet in Q4 2012, Kindsight Reports
