Security Experts:

Millions of Home Networks Infected by ZeroAccess Botnet

A report from network-based security and analytics vendor Kindsight says that 2.2 million home networks were infected with the ZeroAccess botnet in Q3 2012. This infection rate means that advertisers are losing almost one million dollars a day due to click fraud generated by the botnet, the report adds.

ZeroAccess has been around since 2010, and is a business in and of itself. In September, it was estimated that the size of the botnet had grown to one million systems and had been installed over 9 million times globally, with the majority of these infection and installation points located within the U.S.

Anti-Virus firm Sophos reported at the time that the focus of the botnet was Bitcoin mining and click fraud, and if operating at full capacity, “...the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day,” Sophos' Senior Threat Researcher James Wyke said.

ZeroAccess spreads via exploit kits, and is often delivered to its victims by websites linked to Warez (key generators and cracks) and pirated game downloads. A Google Earth visualization of ZeroAccess infections in September was compiled by another security firm, F-Secure, and can be seen here.

Kindsight’s latest report mirrors the findings from Sophos and geographic data released by F-Secure, in that some 2.2 million systems in North America were infected by ZeroAccess in Q3 2012, or 1 in 25 home networks.

This total equates to 13% of the home networks in North America, which is actually down from the totals reported last quarter. Given that click fraud is one of the botnet’s functions, Kindsight estimates that it could be costing advertisers $900,000 per day.

There’s a reason ZeroAccess is popular among online criminals, and why the botnet has spread as far as it has.

According to research from Sophos, one reason for the continued growth of the ZeroAccess botnet is due to the compensation scheme offered by its authors, who use a lucrative Pay-Per-Install affiliate program to distribute malware. Thus, the money collected from click fraud is used to pay people for additional installations, creating a type of pyramid scheme business plan.

Given the methods used to propagate and spread ZeroAccess, combined with the large amount of money to be made in keep it alive, there’s little hope that it will go away any time soon.

Sophos and Kindsight have each examined ZeroAccess in detail. Kindsight’s analysis on ZeroAccess is here, it was published in February. Sophos’ report, written last month, is available here.

view counter
Steve Ragan is a security reporter and contributor for SecurityWeek. Prior to joining the journalism world in 2005, he spent 15 years as a freelance IT contractor focused on endpoint security and security training.