All the latest UK technology news, reviews and analysis


Symantec sink holes 500,000 zombie machines enslaved by ZeroAccess botnet

01 Oct 2013
Digital security padlock red image

Symantec researchers have successfully rescued 500,000 of the 1.9 million zombie machines enslaved by the infamous ZeroAccess botnet. The researchers reported managing to save the machines after uncovering a way to sink hole an earlier version of the botnet, in a public blog post.

"Back in March of this year, our engineers began to study in detail the mechanism used by ZeroAccess bots to communicate with each other to see how the botnet could be sinkholed. During this process, we examined a weakness that offered a difficult, but not impossible, way to sinkhole the botnet," read the post.

"This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed."

Sinkholing is a takedown commonly used by law enforcement and security professionals when combating botnets. The technique works by re-routing the identification of the malicious command and control (C&C) server used by the botnet to send commands to the zombie machine to the sinkholer's own analysis server. Prior to Symantec's operation it was thought impossible to sinkhole as it doesn't feature a central command and control (C&C) server instead existing and operating on a peer-to-peer network.

"Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with ZeroAccess, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network," explained the Symantec post.

"What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes."

Symantec managed to garner fresh insights into ZeroAccess' money making mechanisms during the operations. ZeroAccess is an atypical botnet that not only uses enslaved machines for generic click fraud scams, but also as Bitcoin miners. The security firm reported the investigation showed an increased focus on Bitcoin mining, confirming the scams were causing as much as $560,887 worth of harm per-day in electricity use alone.

"To work out the cost of ZeroAccess to an unsuspecting victim, we calculate the difference between the cost of Bitcoin mining versus the cost of the computer idling; for our test setup it works out at an extra 1.82 KWh each day, which is not a whole lot for one victim to pay," read the report.

"If each KWh of electricity costs $0.162 then it would cost $0.29 to mine on a single bot for 24 hours. But multiply this figure by 1.9 million for the whole botnet and we are now looking at energy usage of 3,458,000 KWh (3,458 MWh, enough to power over 111,000 homes each day.)

"This amount of energy is considerably greater than the output of the largest power station in Moss Landing, California, which could produce 2,484 MW and would come with a corresponding electricity bill of $560,887 a day. Despite the costs, all this energy will create just $2,165 worth of Bitcoins a day!"

The botnet's focus on Bitcoin mining was taken as odd as Symantec's research showed its click fraud operations were far more profitable. "The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day," read the report.

"They also generated around 42 false ad clicks an hour (1008 each day). While each click may pay a penny or even a fraction of a penny, across 1.9 million infected machines, the attacker is potentially generating tens of millions of dollars a year."

The reason for the  focus on Bitcoin mining remains unknown, though security researchers, like F-Secure's Mikko Hypponen, have in the past theorised it could be due to the decreased risk Bitcoin mining offers. This is because, outside of the minor rise in electricity costs, the operation doesn't greatly impact the victim, meaning the crooks can operate undetected while running the scam.

ZeroAccess is one of many Botnets to be targeted with a sinkhole attack in recent months. Prior to ZeroAccess, Microsoft and the FBI targeted the infamous Citadel botnet with a sinkhole attack. At its height the Citadel botnet is believed to have controlled millions of infected PCs and been responsible for more than $500m in bank fraud.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson
About

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus
Poll

Windows 7 end of mainstream support

What are your plans for when Microsoft ends mainstream support for Windows 7 in January 2015?
20%
10%
0%
60%
10%

Popular Threads

Powered by Disqus
LG G3 in gold black and white

LG G3 vs Galaxy S5 video

We pit the two Korean firms' flagship smartphones against each other

Updating your subscription status Loading
Newsletters

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button
hpv3may

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging

ibmv3may

Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

IT Support Engineer

IT Support Engineer Field Based (covering the South...

.NET Developer - Fastest-Growing Internet Co Ever - London

.NET Developer (ASP.NET, C#, C#.NET, dot NET, Web Application...

.NET Developer - ASP.NET MVC 5, C#, Web API, Agile - London

.NET Developer (ASP.NET, C#, C#.NET, dot NET, Web Application...

.NET Developer - Fastest Growing Social Media Firm - London

.NET Developer (ASP.NET, C#, C#.NET, dot NET, Web Application...
To send to more than one email address, simply separate each address with a comma.