Damballa experts say the damage caused to the ZeroAccess botnet is minimal

Dec 9, 2013 09:35 GMT  ·  By
Red dots on the right represent parts of the ZeroAccess infrastructure not disabled by Microsoft
   Red dots on the right represent parts of the ZeroAccess infrastructure not disabled by Microsoft

Last week, Microsoft announced an attempt to disrupt the ZeroAccess botnet. However, experts argue that such disruption attempts can’t be successful unless the security community works together.

Microsoft has admitted that its actions haven’t fully eliminated the threat due to its complexity. However, the company is confident that the botnet’s operation will be significantly disrupted.

Researchers from Damballa have analyzed Microsoft’s attempt. They highlight the fact that the only way to disrupt the ZeroAccess botnet is to disrupt its peer-to-peer (P2P) communications channel.

Microsoft has targeted the click-fraud component, which according to Damballa, can be restored in a short amount of time by pushing an updated binary over the P2P channel.

“To make matters worse, it appears that the takedown of the click-fraud component was incomplete. Even if ZeroAccess did not use a P2P C&C, this takedown still would have been insufficient,” experts noted.

Damballa has found that 62% of the infrastructure was not taken down. This means that even without the updated binaries being sent out, the monetization process would still remain mostly unaffected.

In a recent academic paper, Yacin Nadji, Ph.D. candidate at the Georgia Institute of Technology, GTISC, highlights the fact that Microsoft’s actions had little impact in many botnet takedown attempts. Furthermore, in some cases, the Redmond company even ruined the work of other researchers.

For instance, in its recent attempt to take down an instance of the ZeuS botnet, Microsoft took control of domain names that had been sinkholed by abuse.ch and the ShadowServer Foundation.

“MDCU has the potential to bring the security community together and clearly has the gumption to initiate takedown actions. However, the results have been divisive thus far,” Damballa experts noted in a blog post.

“Their actions are often opposed to the security and law enforcement communities goals, simply because they do not stop the threats nor do they place people behind bars. Microsoft is known for supporting and contributing exceptional and rigorous computer science research, but the actions of the MDCU do not appear to be as thorough.”