14 DAY TRIAL // Symantec researchers have managed to sinkhole a total of over half a million bots of the ZeroAccess botnet. They might have been able to take down more, but the cybercriminals made some changes to the threat to make it more resilient.
ZeroAccess is one of the largest botnets in the world, with an estimate of 1.9 million bots. The botnet is designed to deliver payloads to infected computers, Bitcoin mining, and click fraud.
What makes ZeroAccess interesting besides its size is the fact that it uses a peer-to-peer (P2P) command and control (C&C) communications infrastructure. This makes it more difficult to disrupt.
Symantec researchers have been analyzing the botnet since March 2013 in an effort to identify a way to sinkhole it. Just as experts came up with a theory on how to achieve their goal, on June 29, cybercriminals released a new version of ZeroAccess.
The attack vector initially thought out by Symantec no longer worked on this new variant of the malware. It’s likely that the release of the new version was sparked by a research paper published in May, which analyzed the weaknesses in the P2P mechanism.
Researchers decided to go ahead with their plan and sinkhole as many bots as possible before the new version was rolled out completely.
“This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed,” Symantec noted.
Additional details on this operation will be presented by Symantec’s Ross Gibbs and Vikram Thakur at the upcoming Virus Bulletin Conference in Berlin. A white paper will be published as well.
In the meantime, check out the infographic that summarizes the impact of the ZeroAccess botnet.