Symantec researchers have successfully rescued 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess botnet. The researchers reported managing to save the machines after uncovering a way to sink hole an earlier version of the botnet, in a public blog post.
"Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed. During this process, we examined a weakness that offered a difficult, but not impossible, way to sinkhole the botnet," read the post.
"This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed."
Sinkholing is a takedown commonly used by law enforcement and security professionals when combating botnets. The technique works by re-routing the identification of the malicious command and control (C&C) server used by the botnet to send commands to the zombie machine to the sinkholer's own analysis server. Prior to Symantec's operation it was thought impossible to sinkhole as it doesn't feature a central command and control (C&C) server instead existing and operating on a peer-to-peer network.
"Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network," explained the Symantec post.
"What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes."
Symantec managed to garner fresh insights into ZeroAccess' money making mechanisms during the operations. ZeroAccess is an atypical botnet that not only uses enslaved machines for generic click fraud scams, but also as Bitcoin miners. The security firm reported the investigation showed an increased focus on Bitcoin mining, confirming the scams were causing as much as $560,887 worth of harm per-day in electricity use alone.
"To work out the cost of ZeroAccess to an unsuspecting victim, we calculate the difference between the cost of Bitcoin mining versus the cost of the computer idling; for our test setup it works out at an extra 1.82 KWh each day, which is not a whole lot for one victim to pay," read the report.
"If each KWh of electricity costs $0.162 then it would cost $0.29 to mine on a single bot for 24 hours. But multiply this figure by 1.9 million for the whole botnet and we are now looking at energy usage of 3,458,000 KWh (3,458 MWh, enough to power over 111,000 homes each day.)
"This amount of energy is considerably greater than the output of the largest power station in Moss Landing, California, which could produce 2,484 MW and would come with a corresponding electricity bill of $560,887 a day. Despite the costs, all this energy will create just $2,165 worth of Bitcoins a day!"
The botnet's focus on Bitcoin mining was taken as odd as Symantec's research showed its click fraud operations were far more profitable. "The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day," read the report.
"They also generated around 42 false ad clicks an hour (1008 each day). While each click may pay a penny or even a fraction of a penny, across 1.9 million infected machines, the attacker is potentially generating tens of millions of dollars a year."
The reason for the focus on Bitcoin mining remains unknown, though security researchers, like F-Secure's Mikko Hypponen, have in the past theorised it could be due to the decreased risk Bitcoin mining offers. This is because, outside of the minor rise in electricity costs, the operation doesn't greatly impact the victim, meaning the crooks can operate undetected while running the scam.
ZeroAccess is one of many Botnets to be targeted with a sinkhole attack in recent months. Prior to ZeroAccess, Microsoft and the FBI targeted the infamous Citadel botnet with a sinkhole attack. At its height the Citadel botnet is believed to have controlled millions of infected PCs and been responsible for more than $500m in bank fraud.