Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ZeroAccess Most Active Botnet in Q4 2012, Kindsight Reports

The ZeroAccess botnet closed out 2012 as the most active botnet in the wild, according to a malware report from security vendor Kindsight.

The ZeroAccess botnet closed out 2012 as the most active botnet in the wild, according to a malware report from security vendor Kindsight.

ZeroAccess is mainly designed to distribute malware as part of a massive ad-click fraud campaign that at one point last year was estimated to be raking in as much as $100,000 a day for its operator. Another version of the botnet also makes money through Bitcoin mining. According to Kindsight, versions of the ZeroAccess botnet occupied the number one and seven spots on the list of top high-level malware threats on the Web.  

ZeroAccess is so prevalent because it uses an aggressive pay-per-install affiliate campaign to spread malware – something the botnet’s controllers can afford because it is earning top dollar through ad-click fraud, explained Kevin McNamee, security architect at Kindsight.

“The first version of ZeroAccess used rootkit technology to evade antivirus software,” he said. “But the latest version doesn’t even bother–it disables the antivirus during the installation process.”

“Once installed, ZeroAccess keeps a low profile and doesn’t do anything to draw attention to itself,” he continued. “Users don’t know they’re infected. The peer-to-peer command-and-control (C&C) protocol doesn’t have any centralized control service that can be monitored or taken out. This also means that the C&C can’t be traced back to an individual or group. It doesn’t use the DNS infrastructure that carriers commonly monitor to detect bot activity and doesn’t generate any traffic anomalies that can be detected either.”

Rounding out the list of the top four malware threats in the final quarter of the year are the infamous TDSS and Alureon rootkits – at numbers 2 and four, respectively – and a threat known as AgentTK, which doubled the number of home networks it infected between the third and fourth quarters.

“There was a significant increase in [AgentTK] activity over the holiday period, which can be linked to some new C&C [command and control] sites in China,” according to the report. “This increase was probably the result of a holiday season spam campaign to get the malware installed. This threat is a Trojan downloader that accesses remote websites and attempts to download and install malicious or potentially unwanted software.”

Overall, the network infection rate stood at 11 percent in Q4, dropping from 13 percent in the third quarter. Among those that were infected, the ZeroAccess botnet was the most common infection found in Kindsight deployments on home networks. Six percent of broadband users were infected with high-threat level malware such as bots, rootkits or banking Trojans.

Advertisement. Scroll to continue reading.

For mobile networks that figure is just 0.5 percent of devices. But while that number is relatively small, it has increased 67 percent when compared to the third quarter, and the number of Google Android malware samples increased by 5.5 times.

“The biggest threat in the BYOD scenario is the ability of the device to record calls, text messages and email; track its location; take pictures; and explore local networks,” McNamee said, adding that the firm is currently tracking eight different spy-phone variants. “This provides the attacker with a full featured, remote access backdoor into a corporate network. The number of mobile malware species of this type is actually quite small compared to the run-of-the-mill SMS Trojans, but the threat level is significantly higher, particularly in a targeted attack.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.