Microsoft and Law Enforcement Agencies Take a Crack at ZeroAccess Botnet

The disruptive action doesn't fully eliminate the botnet's activities

By on December 6th, 2013 08:42 GMT

Law enforcement agencies from Europe and the United States, under the lead of Microsoft, have disrupted the ZeroAccess (Sirefef) botnet, a threat that has infected over 2 million devices from all over the world in an effort to hijack search results and lead victims to websites that install malware and steal sensitive information.

ZeroAccess is also designed for clickfraud, causing losses of around $2.7 million (€2 million) to advertisers each month.

Because it’s based on a peer-to-peer (P2P) architecture, ZeroAccess is highly resistant to takedowns. In fact, the threat is so sophisticated that this action doesn’t fully eliminate it.

“However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes,” Richard Domingues Boscovich, assistant general counsel at Microsoft Digital Crimes Unit, noted.

The legal action that Boscovich is referring to is the lawsuit filed by the Redmond company against 8 unidentified individuals suspected of being involved in the operation of the botnet.

Brian Krebs reports that Microsoft, Europol and the FBI targeted the botnet’s component responsible for instructing infected systems on how to defraud advertisers. This will enable them to find out which publishers are associated with the cybercriminals.

However, the computers infected with ZeroAccess remain infected and the botnet can still perform its tasks. Microsoft says it will work with its global partners on cleaning up infected machines.

Law enforcement agencies from Latvia, the Netherlands, Switzerland and Germany have taken part in the operation. These are the countries where ZeroAccess servers have been identified. A10 Networks has contributed with the technology to support the disruption.

Comments

ZeroAccess infections in the US in April 2012
   ZeroAccess infections in the US in April 2012