Microsoft And Friends Disrupt Resilient ZeroAccess Botnet

casper spy botnet facebook

Microsoft and its partners have successfully disrupted the Sirefef botnet, also known as ZeroAcces

Microsoft continues its bitter war against botnets and, with its partners,  has claimed another scalp that has infected 2 million computers globally.

Redmond and its partners said they have successfully disrupted the ‘rampant’ Sirefef botnet, also known as ZeroAccess.

Botnet Disruption

The botnet disruption was conducted by Microsoft’s Digital Crimes Unit (DCU), in partnership with law enforcement including the FBI, and law enforcement cybercrime units from Germany, Latvia, Luxembourg, Switzerland and the Netherlands.

Industry partners included A10 Networks as well as Europol’s European Cybercrime Centre (EC3).

BotnetThe Sirefef (or ZeroAccess) botnet is reportedly responsible for online fraud. It targets search results on the major online search and advertising platforms including Google, Bing and Yahoo!, and is estimated to cost online advertisers $2.7 million (£1.6m) each month.

“The majority of computers infected with ZeroAccess are located in the US and Western Europe,” explained Richard Domingues Boscovich, Assistant General Counsel at the Microsoft Digital Crimes Unit in a blog posting. “ZeroAccess is responsible for hijacking search results and directing people to potentially dangerous websites that could install malware onto their computer, steal their personal information or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud.”

Robust Architecture

However Microsoft warned that the architecture of the ZeroAccess botnet is very resilient and it is one of the most robust and durable botnets in operation. It apparently relies on a peer-to-peer infrastructure that “allows cybercriminals to remotely control the botnet from tens of thousands of different computers.”

And Microsoft said that because of its sophistication, it does not expect to fully eliminate the ZeroAccess botnet. “However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes,” said Domingues Boscovich.

“Microsoft filed a civil suit against the cybercriminals operating the Zeroaccess botnet, and received authorisation to simultaneously block incoming and outgoing communications between computers located in the US and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes,” explained the European Cybercrime Centre (EC3), the collective European unit responsible for the fight against cybercrime.

“Due to Germany’s initiative Europol’s European Cybercrime Centre (EC3) coordinated a multi-jurisdictional criminal action targeting 18 IP addresses located in Europe,” it said. “Thanks to the efforts of EC3 and the involved agencies search warrants and seizures on computer servers associated with the fraudulent IP addresses were executed in several of the involved countries.”

People worried their computer could be infected can visit for detailed instructions on how to remove this threat. Users can also find out how to protect themselves here.

Long Fight

Microsoft has long led the tech industry fight against the scourge of botnets. Starting with Waledac in March 2010, the company has partnered with other technology firms to gather data on a variety of botnets, built civil cases against the botnet operators, and then seized the domains and command-and-control servers of those operators.

After Waledac, the company targeted Rustock, Kelihos, Zeus, Nitol and Bamital. The takedowns have all been successful at disrupting the cyber-criminals’ botnet operations, at least for some time. For example, Microsoft managed in March 2011 to completely take down the Rustock botnet, which resulted in a massive drop in the amount of spam sent out to the Internet. In June this year Microsoft freed more than 1.2 million PCs from the control of the Citadel botnet and its criminal masters.

But Microsoft’s takedown of the Citadel botnet was not without controversy. In June two security organisations said that Microsoft’s sinkholing of 4,000 domains used by the Citadel botnet masters, also included domains used by security researchers.

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.