Symantec uses vulnerability to take out part of the ZeroAccess botnet

Symantec has announced that they've successfully taken down a significant part of the ZeroAccess botnet, by exploiting a weakness discovered in its code.

The ZeroAccess botnet has existed in one form or another since 2010, last September, security vendor Sophos reported that the executable for ZeroAccess had been downloaded approximately 9 million times, and Kindsight, a network-based security and analytics vendor, reported that 2.2 million home networks were infected by the botnet as of Q3 2012.

ZeroAccess spreads via exploit kits, usually after victims have followed a link in email or downloaded pirated software or Warez (key generators or software cracks). The botnet is a virtual money machine, as the primary focus is Bitcoin mining and click-fraud. The rapid spread of the botnet is due largely to the fact that its operator's PPI (Pay-Per-Install) program pays handsomely.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

In August, Symantec observed that ZeroAccess was running a network of 1.9 million bots, while this number is lower than what was estimated in the second half of 2012, it still equates to nearly $2,100 a day in Bitcoin earnings, and costing advertisers nearly $1 million in lost earnings.

The botnet itself runs on a Peer-2-Peer command and control architecture, making the task of taking it down rather difficult. As each newly infected host comes online, it reaches out to other infected hosts to exchange details about other peers on the network (the botnet itself in this case), allowing them to propagate files and instructions quickly and efficiently.

Symantec struggled with the task of taking ZeroAccess offline for some time, but the P2P architecture, as mentioned, made the task a tricky one. However, earlier this year Symantec engineers noticed a weakness that offered a difficult, but not impossible, method to sinkhole the botnet.

"We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster," Symantec explains in a blog post.

"During this time, we continued to monitor the botnet and on June 29, we noticed that a new version of ZeroAccess being distributed through the peer-to-peer network. The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed."

On July 16, Symantec began exploiting the weakness, taking down some 500,000 bots in the process. In tests, Symantec said that it took an average of just five minutes of P2P communication before another bot was sinkholed and removed from the ZeroAccess network.

"What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes," Symantec's post added.

Going forward, Symantec says they are working with ISPs and CERTS across the globe to share information and clean the infected systems. The full post on the takedown is here.

Tags symantecsecurity


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory


RSA offers a wide range of strong two-factor authentication solutions to help organizations assure user identities and meet compliance requirements.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.