Pierluigi Paganini December 07, 2013

Microsoft Digital Crimes Unit, FBI, Europol and industry partners decapitated the feared ZeroAccess botnet that hijacks search results

Microsoft this week has announced that thanks to a joint operation of its Digital Crimes Unit and the Federal Bureau of Investigation (FBI), Europol’s European Cybercrime Centre (EC3) and technology companies has decapitated ZeroAccess botnet.

The ZeroAccess botnet is considered one of most insidious malicious architecture that has infected nearly two million systems all over the world, the majority of computers ZeroAccess has infected have been located in the U.S. and Western Europe.  Richard Domingues Boscovich, assistant general counsel with Microsoft Digital Crimes Unit, estimated that ZeroAccess cost online advertisers upwards of $2.7 million each month.

Trojan. ZeroAccess malware uses an advanced rootkit to hide itself and it is able to download more malware and opens a backdoor on the victim computer.
The name ZeroAccess derives from a string found in the kernel driver code that is pointing to the original project folder called ZeroAccess, it is distributed through several means including compromised websites, redirecting traffic to malicious websites that host the trojan and distribute it using exploit kit such as the Blackhole Exploit Toolkit. The ZeroAccess bot exploits a “drive-by download” scheme for infection process and is able to update itself through peer-to-peer networks.

The support of P2P protocol allows cyber criminals to control the botnet remotely from tens of thousands of different computers.

The monetization process behind the ZeroAccess botnet is a classic pay per click advertising, the malware download an application that conducts Web searches and clicks on the results.

“This is known as click fraud, which is a highly lucrative business for malware creators.” states the Symantec advisor on the agent.

Almost every search engine and browser was targeted by ZeroAccess including Google, Bing and Yahoo.

“Computers can also become infected through counterfeit and unlicensed software, where criminals disguise ZeroAccess as legitimate software, tricking a person into downloading the ZeroAccess malware onto their computer.” “Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible,”  Boscovich added,

Due the high sophistication of ZeroAccess malware, Microsoft security experts believe that the threat isn’t definitively eradicated, the investigation on the ZeroAccess botnet is still ongoing thanks to the support of law enforcement and private security firms.