Symantec Sinkholes Part of Massive ZeroAccess Botnet

Researchers at Symantec sinkholed a portion of the notorious ZeroAccess botnet, disconnecting more than half a million machines from the control of cybercriminals.

According to Symantec, the company began to sinkhole the infected computers back in July after discovering vulnerabilities in how the ZeroAccess bots communicate with each other. After the researchers noticed a new version of ZeroAccess being distributed that fixed the vulnerabilities, they decided to act.

“Having seen the changes beginning to roll out, and with a viable plan in place, we were faced with an option: start our operations now or risk losing the initiative,” Symantec’s Security Response team noted.

On a typical day, the botnet has 1.9 million computers under its control. When it comes to making money, its activities are focused on bitcoin mining and click fraud.

“Out of interest, we took some old hardware that we had lying around in the office to test what kind of impact the ZeroAccess botnet would have in terms of energy usage and the economics of these activities,” Symantec explained.

“We infected the test lab computers with ZeroAccess and then set them bitcoin mining, we also had a clean control computer that was just allowed to idle,” the researchers continued. “We hooked the computers up to power meters to see the amount of power being consumed by the test computers.”

“With this kind of a rig, bitcoin mining with a single computer was always going to be an exercise in futility. Operating this rig for a whole year would only yield a measly US$0.41! But if you had 1.9 million bots available, the equation changes completely. Now thousands of dollars a day could potentially be generated by the botnet.”

In Symantec’s tests simulating the botnet’s click fraud operation, each bot generated roughly 257 MB of network traffic every hour. They also generated 42 false ad clicks per hour. Even if each click is valued at only a fraction of a penny, when that is multiplied across 1.9 million machines, the profits for the attacker could reach into the millions, the researchers noted.

“What this exercise has shown is that despite the resilient P2P architecture of the Zero Access botnet, we have still been able to sinkhole a large portion of the bots,” according to Symantec. “This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes.”

The company added that it is working with ISPs and CERTs around the globe to share information and get the infected machines cleaned. 

Earlier this year, Fortinet was tracking 100,000 new infections per week and almost 3 million unique IP addresses reporting infections. According to security vendor Kindsight, the ZeroAccess botnet was the most active botnet in the wild in 2012, and at one point last year was estimated to be bringing in as much as $100,000 a day for its operator.

*Story was updated to fix an incorrect number.

Additional reporting by Mike Lennon