Microsoft Disrupts ZeroAccess Botnet

Late last week, Microsoft announced it had struck a blow against the ZeroAccess botnet in a joint operation with law enforcement and technology company A10 Networks.

But while the effort may have started a ten-count, some say the botnet was far from knocked out.

The takedown operation disrupted a botnet that is held responsible for infecting more than two million computers by targeting search results on Google, Bing and Yahoo search engines and costing online advertisers $2.7 million a month. The botnet hijacks people’s search engine results and redirects them to sites they had not intended to go to in order to commit click fraud. ZeroAccess relies on a peer-to-peer infrastructure that allows cybercriminals to control it remotely through tens of thousands of different computers.

To combat the situation, Microsoft recently filed a civil suit against the people behind the botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit fraud. In addition, Microsoft took control of 49 domains associated with ZeroAccess, while A10 Networks provided Microsoft with advanced technology to support the disruptive action.

However, Microsoft’s work comes up short. In a joint blog post, Yacin Nadji, a Ph.D. Candidate at Georgia Institute of Technology, and Damballa Chief Scientist Manos Antonakakis noted that any meaningful action against ZeroAccess must disrupt its peer-to-peer (P2P) communications channel.

“Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations,” they noted. “This extensive legal work can be undone in a matter of hours.”

According to a report, the operators did push out a configuration file to infected systems to bring the click fraud network back online, but the within a few hours the servers were back offline.

Fears about click fraud led to the Interactive Advertising Bureau (IAB) recently issuing a set of best practices designed to help publishers, networks and buyers reduce the risk of fraud on the Internet.

“The companies that participate in the digital advertising supply chain have been struggling with how to handle criminal enterprises intent on gaming the system,” said Steve Sullivan, vice president of advertising technology for IAB, in a statement. “These fraudsters are diluting the value of all legitimate inventory while simultaneously diminishing the integrity of the entire digital marketing industry. The introduction of these best practices is a first step in reducing the marketplace repercussions of these illegal activities.”