fbpx
Wikipedia

ZeroAccess botnet

January 01, 1970

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.[1]

History and propagation edit

The ZeroAccess botnet was discovered at least around May 2011.[2] The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems.[3] Estimates botnet size vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.[4][5]

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable that announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. Finally, a third infection vector used is an affiliate scheme where third-party persons are paid for installing the rootkit on a system.[6][7]

In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.[8]

Operation edit

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was 2.7 million US dollars per year in September 2012.[9] The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day,[10][11] costing advertisers $900,000 a day in fraudulent clicks.[12] Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers giving it total control over the operating system.[citation needed] It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the TCP/IP stack to help with the click fraud.

The software also looks for the Tidserv malware and removes it if it finds it.[1]

See also edit

References edit

  1. ^ a b "Risk Detected". www.broadcom.com.
  2. ^ "Monthly Malware Statistics, May 2011". securelist.com.
  3. ^ Wyke, James (19 September 2012). "Over 9 million PCs infected – ZeroAccess botnet uncovered". Sophos. Retrieved 27 December 2012.
  4. ^ Jackson Higgins, Kelly (30 October 2012). . Dark Reading. Archived from the original on 3 December 2012. Retrieved 27 December 2012.
  5. ^ Kumar, Mohit (19 September 2012). "9 million PCs infected with ZeroAccess botnet". The Hacker News. Retrieved 27 December 2012.
  6. ^ Wyke, James (4 April 2012). "The ZeroAccess rootkit". Sophos. p. 2. Retrieved 27 December 2012.
  7. ^ Mimoso, Michael (30 October 2012). . ThreatPost. Archived from the original on 3 December 2012. Retrieved 27 December 2012.
  8. ^ Gallagher, Sean (6 December 2013). "Microsoft disrupts botnet that generated $2.7M per month for operators". Ars Technica. Retrieved 9 December 2013.
  9. ^ Wyke, James. "The ZeroAccess Botnet: Mining and Fraud for Massive Financial Gain" (PDF). Sophos. pp. (Page 45). Retrieved 27 December 2012.
  10. ^ Leyden, John (24 September 2012). "Crooks can milk '$100k a day' from 1-million-zombie ZeroAccess army". The Register. Retrieved 27 December 2012.
  11. ^ Ragan, Steve (31 October 2012). "Millions of Home Networks Infected by ZeroAccess Botnet". SecurityWeek. Retrieved 27 December 2012.
  12. ^ Dunn, John E. (2 November 2012). "ZeroAccess bot has infected 2 million consumers, firm calculates". Techworld. Retrieved 27 December 2012.

External links edit

  • Analysis of the ZeroAccess botnet, created by Sophos.
  • , Kindsight Security Labs.
  • New C&C Protocol for ZeroAccess[permanent dead link], Kindsight Security Labs.

January 01, 1970
zeroaccess, botnet, zeroaccess, trojan, horse, computer, malware, that, affects, microsoft, windows, operating, systems, used, download, other, malware, infected, machine, from, botnet, while, remaining, hidden, using, rootkit, techniques, contents, history, p. ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques 1 Contents 1 History and propagation 2 Operation 3 See also 4 References 5 External linksHistory and propagation editThe ZeroAccess botnet was discovered at least around May 2011 2 The ZeroAccess rootkit responsible for the botnet s spread is estimated to have been present on at least 9 million systems 3 Estimates botnet size vary across sources antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012 and security firm Kindsight estimated 2 2 million infected and active systems 4 5 The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors One attack vector is a form of social engineering where a user is persuaded to execute malicious code either by disguising it as a legitimate file or including it hidden as an additional payload in an executable that announces itself as for example bypassing copyright protection a keygen A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself Finally a third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system 6 7 In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet The attack was ineffective though because not all C amp C were seized and its peer to peer command and control component was unaffected meaning the botnet could still be updated at will 8 Operation editOnce a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations bitcoin mining or click fraud Machines involved in bitcoin mining generate bitcoins for their controller the estimated worth of which was 2 7 million US dollars per year in September 2012 9 The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis The estimated profit for this activity may be as high as 100 000 US dollars per day 10 11 costing advertisers 900 000 a day in fraudulent clicks 12 Typically ZeroAccess infects the Master Boot Record MBR of the infected machine It may alternatively infect a random driver in C Windows System32 Drivers giving it total control over the operating system citation needed It also disables the Windows Security Center Firewall and Windows Defender from the operating system ZeroAccess also hooks itself into the TCP IP stack to help with the click fraud The software also looks for the Tidserv malware and removes it if it finds it 1 See also editBotnet Malware Command and control malware Zombie computer science Internet crime Internet security Click fraud Clickbot AReferences edit a b Risk Detected www broadcom com Monthly Malware Statistics May 2011 securelist com Wyke James 19 September 2012 Over 9 million PCs infected ZeroAccess botnet uncovered Sophos Retrieved 27 December 2012 Jackson Higgins Kelly 30 October 2012 ZeroAccess Botnet Surges Dark Reading Archived from the original on 3 December 2012 Retrieved 27 December 2012 Kumar Mohit 19 September 2012 9 million PCs infected with ZeroAccess botnet The Hacker News Retrieved 27 December 2012 Wyke James 4 April 2012 The ZeroAccess rootkit Sophos p 2 Retrieved 27 December 2012 Mimoso Michael 30 October 2012 ZeroAccess Botnet Cashing in on Click Fraud and Bitcoin Mining ThreatPost Archived from the original on 3 December 2012 Retrieved 27 December 2012 Gallagher Sean 6 December 2013 Microsoft disrupts botnet that generated 2 7M per month for operators Ars Technica Retrieved 9 December 2013 Wyke James The ZeroAccess Botnet Mining and Fraud for Massive Financial Gain PDF Sophos pp Page 45 Retrieved 27 December 2012 Leyden John 24 September 2012 Crooks can milk 100k a day from 1 million zombie ZeroAccess army The Register Retrieved 27 December 2012 Ragan Steve 31 October 2012 Millions of Home Networks Infected by ZeroAccess Botnet SecurityWeek Retrieved 27 December 2012 Dunn John E 2 November 2012 ZeroAccess bot has infected 2 million consumers firm calculates Techworld Retrieved 27 December 2012 External links editAnalysis of the ZeroAccess botnet created by Sophos ZeroAccess Botnet Kindsight Security Labs New C amp C Protocol for ZeroAccess permanent dead link Kindsight Security Labs Retrieved from https en wikipedia org w index php title ZeroAccess botnet amp oldid 1146824728, wikipedia, wiki, book, books, library,

article

, read, download, free, free download, mp3, video, mp4, 3gp, jpg, jpeg, gif, png, picture, music, song, movie, book, game, games.