ZeroAccess botnet
ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.[1]
History and propagation
The ZeroAccess botnet was discovered at least around May 2011.[2] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.[3] Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.[4][5]
The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system.[6][7]
In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.[8]
Operation
Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.[9] The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,[10][11] costing advertisers $900,000 a day in fraudulent clicks.[12] Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system.[citation needed] It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.
The software also looks for the Tidserv malware and removes it if it finds it.[1]
See also
- Botnet
- Malware
- Command and control (malware)
- Zombie (computer science)
- Internet crime
- Internet security
- Click fraud
- Clickbot.A
References
- ^ a b "Risk Detected". www.broadcom.com.
- ^ "Monthly Malware Statistics, May 2011". securelist.com.
- ^ Wyke, James (19 September 2012). "Over 9 million PCs infected – ZeroAccess botnet uncovered". Sophos. Retrieved 27 December 2012.
- ^ Jackson Higgins, Kelly (30 October 2012). "ZeroAccess Botnet Surges". Dark Reading. Archived from the original on 3 December 2012. Retrieved 27 December 2012.
- ^ Kumar, Mohit (19 September 2012). "9 million PCs infected with ZeroAccess botnet". The Hacker News. Retrieved 27 December 2012.
- ^ Wyke, James (4 April 2012). "The ZeroAccess rootkit". Sophos. p. 2. Retrieved 27 December 2012.
- ^ Mimoso, Michael (30 October 2012). "ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining". ThreatPost. Archived from the original on 3 December 2012. Retrieved 27 December 2012.
- ^ Gallagher, Sean (6 December 2013). "Microsoft disrupts botnet that generated $2.7M per month for operators". Ars Technica. Retrieved 9 December 2013.
- ^ Wyke, James. "The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain" (PDF). Sophos. pp. (Page 45). Retrieved 27 December 2012.
- ^ Leyden, John (24 September 2012). "Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army". The Register. Retrieved 27 December 2012.
- ^ Ragan, Steve (31 October 2012). "Millions of Home Networks Infected by ZeroAccess Botnet". SecurityWeek. Retrieved 27 December 2012.
- ^ Dunn, John E. (2 November 2012). "ZeroAccess bot has infected 2 million consumers, firm calculates". Techworld. Retrieved 27 December 2012.
External links
- Analysis of the ZeroAccess botnet, created by Sophos.
- ZeroAccess Botnet, Kindsight Security Labs.
- New C&C Protocol for ZeroAccess[permanent dead link], Kindsight Security Labs.
- v
- t
- e
← 2000s | Timeline | 2020s → |
persistent threats
- Bangladesh Black Hat Hackers
- Bureau 121
- Charming Kitten
- Cozy Bear
- Dark Basin
- DarkMatter
- Elfin Team
- Equation Group
- Fancy Bear
- GOSSIPGIRL (confederation)
- Guccifer 2.0
- Hacking Team
- Helix Kitten
- Iranian Cyber Army
- Lazarus Group (BlueNorOff) (AndAriel)
- NSO Group
- Numbered Panda
- PLA Unit 61398
- PLA Unit 61486
- PLATINUM
- Pranknet
- Red Apollo
- Rocket Kitten
- Stealth Falcon
- Syrian Electronic Army
- Tailored Access Operations
- The Shadow Brokers
- xDedic
- Yemen Cyber Army
- Cyber Anakin
- George Hotz
- Guccifer
- Jeremy Hammond
- Junaid Hussain
- Kristoffer von Hassel
- Mustafa Al-Bassam
- MLT
- Ryan Ackroyd
- Sabu
- Topiary
- Track2
- The Jester
publicly disclosed
- Evercookie (2010)
- iSeeYou (2013)
- Heartbleed (2014)
- Shellshock (2014)
- POODLE (2014)
- Rootpipe (2014)
- Row hammer (2014)
- SS7 vulnerabilities (2014)
- JASBUG (2015)
- Stagefright (2015)
- DROWN (2016)
- Badlock (2016)
- Dirty COW (2016)
- Cloudbleed (2017)
- Broadcom Wi-Fi (2017)
- EternalBlue (2017)
- DoublePulsar (2017)
- Silent Bob is Silent (2017)
- KRACK (2017)
- ROCA vulnerability (2017)
- BlueBorne (2017)
- Meltdown (2018)
- Spectre (2018)
- EFAIL (2018)
- Exactis (2018)
- Speculative Store Bypass (2018)
- Lazy FP state restore (2018)
- TLBleed (2018)
- SigSpoof (2018)
- Foreshadow (2018)
- Dragonblood (2019)
- Microarchitectural Data Sampling (2019)
- BlueKeep (2019)
- Kr00k (2019)
2010 |
|
---|---|
2011 | |
2012 | |
2013 | |
2014 | |
2015 | |
2016 | |
2017 | |
2018 | |
2019 |
|