Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Symantec Sinkholes Part of Massive ZeroAccess Botnet

Researchers at Symantec sinkholed a portion of the notorious ZeroAccess botnet, disconnecting more than half a million machines from the control of cybercriminals.

Researchers at Symantec sinkholed a portion of the notorious ZeroAccess botnet, disconnecting more than half a million machines from the control of cybercriminals.

According to Symantec, the company began to sinkhole the infected computers back in July after discovering vulnerabilities in how the ZeroAccess bots communicate with each other. After the researchers noticed a new version of ZeroAccess being distributed that fixed the vulnerabilities, they decided to act.

“Having seen the changes beginning to roll out, and with a viable plan in place, we were faced with an option: start our operations now or risk losing the initiative,” Symantec’s Security Response team noted.

On a typical day, the botnet has 1.9 million computers under its control. When it comes to making money, its activities are focused on bitcoin mining and click fraud.

Advertisement. Scroll to continue reading.

“Out of interest, we took some old hardware that we had lying around in the office to test what kind of impact the ZeroAccess botnet would have in terms of energy usage and the economics of these activities,” Symantec explained.

“We infected the test lab computers with ZeroAccess and then set them bitcoin mining, we also had a clean control computer that was just allowed to idle,” the researchers continued. “We hooked the computers up to power meters to see the amount of power being consumed by the test computers.”

“With this kind of a rig, bitcoin mining with a single computer was always going to be an exercise in futility. Operating this rig for a whole year would only yield a measly US$0.41! But if you had 1.9 million bots available, the equation changes completely. Now thousands of dollars a day could potentially be generated by the botnet.”

In Symantec’s tests simulating the botnet’s click fraud operation, each bot generated roughly 257 MB of network traffic every hour. They also generated 42 false ad clicks per hour. Even if each click is valued at only a fraction of a penny, when that is multiplied across 1.9 million machines, the profits for the attacker could reach into the millions, the researchers noted.

“What this exercise has shown is that despite the resilient P2P architecture of the Zero Access botnet, we have still been able to sinkhole a large portion of the bots,” according to Symantec. “This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes.”

The company added that it is working with ISPs and CERTs around the globe to share information and get the infected machines cleaned. 

Earlier this year, Fortinet was tracking 100,000 new infections per week and almost 3 million unique IP addresses reporting infections. According to security vendor Kindsight, the ZeroAccess botnet was the most active botnet in the wild in 2012, and at one point last year was estimated to be bringing in as much as $100,000 a day for its operator.

*Story was updated to fix an incorrect number.

Additional reporting by Mike Lennon

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...