Symantec takes on one of largest botnets in history

The security firm is confronting the ZeroAccess botnet, which is likely to have more than 1.9 million slave computers at its disposal for click fraud and bitcoin mining.

Charlie Osborne Contributing Writer
Charlie Osborne is a cybersecurity journalist and photographer who writes for ZDNet and CNET from London. PGP Key: AF40821B.
Charlie Osborne
2 min read

Symantec has seized part of the 1.9 million-computer strong ZeroAccess, one of the largest botnets in existence.

In a blog post Monday, the security firm said the ZeroAccess botnet is primarily used to deliver payloads to infected computers, which is aimed at two illegal, revenue-generating activities: click fraud and bitcoin mining.

One type of payload often associated with ZeroAccess is a click fraud Trojan. Once installed on a compromised computer, the Trojan downloads online advertisements and then generates artificial clicks, which can pay out dividends through pay-per-click (PPC) affiliate schemes. The bots running fraud operations generated around 42 false ad clicks an hour, which can result in potential revenue generation of tens of millions of dollars a year for the botnet master, according to Symantec.

In addition, the botnet is also involved in bitcoin mining. The security team estimates that mining the virtual currency -- which is based on mathematical equations -- is potentially the most intensive activity conducted by the botnet, and consumes an additional 1.82 kWh per day for every infected computer left on. Multiplied by 1.9 million computers, that is enough energy to power 111,000 homes each day.

A key feature of the ZeroAccess botnet is the use of a peer-to-peer (P2P) command-and-control (C&C) communications architecture. Since no central C&C server exists, attack servers cannot simply surround the server and neutralize the threat. Instead, peer-to-peer technology allows a compromised computer to contact its peers, connect, and receive instructions and infected files quickly and efficiently.

This constant communication makes destroying the botnet difficult. However, after studying the structure, Symantec researchers say they found a way to attack the botnet. A weakness in the latest version of ZeroAccess made it possible for security experts to "sinkhole" the botnet, which has resulted in the detachment of over half a million bots. In addition, Symantec said the campaign has "made a serious dent to the number of bots controlled by the botmaster."

"In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed," the researchers said.

While the botnet is still in operation, a large number of bots are now no longer able to receive any commands. To further the destruction of ZeroAccess, Symantec is working with ISPs and CERTs worldwide to clean infected computers.