Connect with us

Hi, what are you looking for?


Malware & Threats

Bitcoin Botnet Ranked as Top Threat for Q1 2013

ZeroAccess Botnet Adding 100,000 New Infections Per Week, Almost 3 Million IP Addresses Reporting Infections.

ZeroAccess Botnet Adding 100,000 New Infections Per Week, Almost 3 Million IP Addresses Reporting Infections.

Looking at the threats that targeted the Web in the first quarter of the year, Fortinet says that ZeroAccess, a botnet that mines the popular electronic currency Bitcoins, was the top problem. It wasn’t alone however, as attacks on South Korea and Adware on Android made the list.

Fortinet’s data comes from information reported by their devices worldwide. It is through these devices their claim that ZeroAccess was not only the top threat in Q1 2013, but also that it shows no sign of slowing down, is made. The activity of the botnet itself is bustling, as the controllers ship updates and commands on a weekly basis.

Normally used for click fraud, ZeroAccess was updated to serve two functions, the original and Bitcoin mining, using the processing powers of the infected host. Over the last 90-days, Fortinet says that growth of the botnet has remained consistent and they’ve tracked “a staggering 100,000 new infections per week and almost 3 million unique IP addresses reporting infections.” Estimates place the botnet’s earnings near $100,000 USD daily.

In March and into April, Mt. Gox, the largest Bitcoin Exchange in the world, battled a continued Distributed Denial of Service (DDoS) attack in an attempt to destabilize the currency and/or profit from it. Researchers have noted that ZeroAccess has a module that enables it to launch DDoS attacks, but at present, such abilities are not part of the botnet itself.

“In the first quarter of 2013, we have seen owners of the ZeroAccess botnet maintain and expand the number of bots under its control,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs.

“In the last 90 days, the owners of ZeroAccess have sent their infected hosts 20 software updates. As Bitcoin’s popularity and value increases, we may see other botnet owners attempt to utilize their botnets in similar fashions or to disrupt the Bitcoin market.”

Advertisement. Scroll to continue reading.

On other threats, the massive malware attack on South Korean television networks and financial institutions in March caused wide-scale damage, wiping thousands of hard drives. Fortinet says in their report that the attackers were able to seize control of patch management systems and them to distribute malware within their targets’ networks. Cleanup and recovery continues to this day.

“During out investigation of the attacks, we discovered that a version of the wiper malware was able to infect internal security management servers and use the trusted nature of that internal server to spread infections inside the victim’s network,” said Kyle Yang, Senior Manager of Antivirus at FortiGuard Labs.

Finally, Fortinet says that two new Adware variants on the Android platform are gaining traction online. Android.NewyearL.B and Android.Plankton.B have each seen a large boost to global infections this quarter.

Both variants are embedded into various applications and have the ability to display advertisements, track users through the phone’s unique IMEI number, and modify the phone’s desktop.

“The new advertising kits we are monitoring suggest that the authors behind this are working very hard to remain undetected,” said David Maciejak, senior researcher for Fortinet’s FortiGuard Labs.

“It’s also possible that Newyear and Plankton are being written by the same author, but being maintained separately in order to generate more infections.”

Related Reading: National Journal Site Found Serving ZeroAccess Rootkit

Related Reading: ZeroAccess Most Active Botnet in Q4 2012, Kindsight Reports

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...