Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

ZeroAccess Most Active Botnet in Q4 2012, Kindsight Reports

The ZeroAccess botnet closed out 2012 as the most active botnet in the wild, according to a malware report from security vendor Kindsight.

The ZeroAccess botnet closed out 2012 as the most active botnet in the wild, according to a malware report from security vendor Kindsight.

ZeroAccess is mainly designed to distribute malware as part of a massive ad-click fraud campaign that at one point last year was estimated to be raking in as much as $100,000 a day for its operator. Another version of the botnet also makes money through Bitcoin mining. According to Kindsight, versions of the ZeroAccess botnet occupied the number one and seven spots on the list of top high-level malware threats on the Web.  

ZeroAccess is so prevalent because it uses an aggressive pay-per-install affiliate campaign to spread malware – something the botnet’s controllers can afford because it is earning top dollar through ad-click fraud, explained Kevin McNamee, security architect at Kindsight.

“The first version of ZeroAccess used rootkit technology to evade antivirus software,” he said. “But the latest version doesn’t even bother–it disables the antivirus during the installation process.”

“Once installed, ZeroAccess keeps a low profile and doesn’t do anything to draw attention to itself,” he continued. “Users don’t know they’re infected. The peer-to-peer command-and-control (C&C) protocol doesn’t have any centralized control service that can be monitored or taken out. This also means that the C&C can’t be traced back to an individual or group. It doesn’t use the DNS infrastructure that carriers commonly monitor to detect bot activity and doesn’t generate any traffic anomalies that can be detected either.”

Rounding out the list of the top four malware threats in the final quarter of the year are the infamous TDSS and Alureon rootkits – at numbers 2 and four, respectively – and a threat known as AgentTK, which doubled the number of home networks it infected between the third and fourth quarters.

“There was a significant increase in [AgentTK] activity over the holiday period, which can be linked to some new C&C [command and control] sites in China,” according to the report. “This increase was probably the result of a holiday season spam campaign to get the malware installed. This threat is a Trojan downloader that accesses remote websites and attempts to download and install malicious or potentially unwanted software.”

Overall, the network infection rate stood at 11 percent in Q4, dropping from 13 percent in the third quarter. Among those that were infected, the ZeroAccess botnet was the most common infection found in Kindsight deployments on home networks. Six percent of broadband users were infected with high-threat level malware such as bots, rootkits or banking Trojans.

Advertisement. Scroll to continue reading.

For mobile networks that figure is just 0.5 percent of devices. But while that number is relatively small, it has increased 67 percent when compared to the third quarter, and the number of Google Android malware samples increased by 5.5 times.

“The biggest threat in the BYOD scenario is the ability of the device to record calls, text messages and email; track its location; take pictures; and explore local networks,” McNamee said, adding that the firm is currently tracking eight different spy-phone variants. “This provides the attacker with a full featured, remote access backdoor into a corporate network. The number of mobile malware species of this type is actually quite small compared to the run-of-the-mill SMS Trojans, but the threat level is significantly higher, particularly in a targeted attack.”

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.