The ZeroAccess botnet closed out 2012 as the most active botnet in the wild, according to a malware report from security vendor Kindsight.
ZeroAccess is mainly designed to distribute malware as part of a massive ad-click fraud campaign that at one point last year was estimated to be raking in as much as $100,000 a day for its operator. Another version of the botnet also makes money through Bitcoin mining. According to Kindsight, versions of the ZeroAccess botnet occupied the number one and seven spots on the list of top high-level malware threats on the Web.
ZeroAccess is so prevalent because it uses an aggressive pay-per-install affiliate campaign to spread malware – something the botnet’s controllers can afford because it is earning top dollar through ad-click fraud, explained Kevin McNamee, security architect at Kindsight.
“The first version of ZeroAccess used rootkit technology to evade antivirus software,” he said. “But the latest version doesn’t even bother–it disables the antivirus during the installation process.”
“Once installed, ZeroAccess keeps a low profile and doesn’t do anything to draw attention to itself,” he continued. “Users don’t know they’re infected. The peer-to-peer command-and-control (C&C) protocol doesn’t have any centralized control service that can be monitored or taken out. This also means that the C&C can’t be traced back to an individual or group. It doesn’t use the DNS infrastructure that carriers commonly monitor to detect bot activity and doesn’t generate any traffic anomalies that can be detected either.”
Rounding out the list of the top four malware threats in the final quarter of the year are the infamous TDSS and Alureon rootkits – at numbers 2 and four, respectively – and a threat known as AgentTK, which doubled the number of home networks it infected between the third and fourth quarters.
“There was a significant increase in [AgentTK] activity over the holiday period, which can be linked to some new C&C [command and control] sites in China,” according to the report. “This increase was probably the result of a holiday season spam campaign to get the malware installed. This threat is a Trojan downloader that accesses remote websites and attempts to download and install malicious or potentially unwanted software.”
Overall, the network infection rate stood at 11 percent in Q4, dropping from 13 percent in the third quarter. Among those that were infected, the ZeroAccess botnet was the most common infection found in Kindsight deployments on home networks. Six percent of broadband users were infected with high-threat level malware such as bots, rootkits or banking Trojans.
For mobile networks that figure is just 0.5 percent of devices. But while that number is relatively small, it has increased 67 percent when compared to the third quarter, and the number of Google Android malware samples increased by 5.5 times.
“The biggest threat in the BYOD scenario is the ability of the device to record calls, text messages and email; track its location; take pictures; and explore local networks,” McNamee said, adding that the firm is currently tracking eight different spy-phone variants. “This provides the attacker with a full featured, remote access backdoor into a corporate network. The number of mobile malware species of this type is actually quite small compared to the run-of-the-mill SMS Trojans, but the threat level is significantly higher, particularly in a targeted attack.”