Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft Disrupts ZeroAccess Botnet

Late last week, Microsoft announced it had struck a blow against the ZeroAccess botnet in a joint operation with law enforcement and technology company A10 Networks.

Late last week, Microsoft announced it had struck a blow against the ZeroAccess botnet in a joint operation with law enforcement and technology company A10 Networks.

But while the effort may have started a ten-count, some say the botnet was far from knocked out.

The takedown operation disrupted a botnet that is held responsible for infecting more than two million computers by targeting search results on Google, Bing and Yahoo search engines and costing online advertisers $2.7 million a month. The botnet hijacks people’s search engine results and redirects them to sites they had not intended to go to in order to commit click fraud. ZeroAccess relies on a peer-to-peer infrastructure that allows cybercriminals to control it remotely through tens of thousands of different computers.

ZeroAccess Botnet TakedownTo combat the situation, Microsoft recently filed a civil suit against the people behind the botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit fraud. In addition, Microsoft took control of 49 domains associated with ZeroAccess, while A10 Networks provided Microsoft with advanced technology to support the disruptive action.

However, Microsoft’s work comes up short. In a joint blog post, Yacin Nadji, a Ph.D. Candidate at Georgia Institute of Technology, and Damballa Chief Scientist Manos Antonakakis noted that any meaningful action against ZeroAccess must disrupt its peer-to-peer (P2P) communications channel.

“Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations,” they noted. “This extensive legal work can be undone in a matter of hours.”

According to a report, the operators did push out a configuration file to infected systems to bring the click fraud network back online, but the within a few hours the servers were back offline.

Fears about click fraud led to the Interactive Advertising Bureau (IAB) recently issuing a set of best practices designed to help publishers, networks and buyers reduce the risk of fraud on the Internet.

“The companies that participate in the digital advertising supply chain have been struggling with how to handle criminal enterprises intent on gaming the system,” said Steve Sullivan, vice president of advertising technology for IAB, in a statement. “These fraudsters are diluting the value of all legitimate inventory while simultaneously diminishing the integrity of the entire digital marketing industry. The introduction of these best practices is a first step in reducing the marketplace repercussions of these illegal activities.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.