ZeroAccess Botnet: Is It Preparing Its Next Attack?


In December 2013, Microsoft Digital Crimes Unit, Europol, the FBI, and other technology companies sought to take down one of the world’s largest botnets named ZeroAccess (also known as max++ or Sirefef). While the collaboration led to the disruption of ZeroAccess, the takedown was not fully successful as several servers hosting botnet’s command & control (C&C) continued to remain active.

Ever since its discovery several years ago and leading up to 2013, over two million computers globally had been infected. This led to search results from Google, Bing, and Yahoo! being hijacked, which redirected infected users to malicious websites and in turn, impacted the advertising revenue stream on these search providers. In fact, it is estimated that the cost of click fraud, as a result of ZeroAccess, was upwards of $2.7 million each month for online advertisers.

How ZeroAccess affects consumers
While the December disruption of ZeroAccess impacted the botnet’s ability to continue its assault, it has not yet been completely dismembered. ZeroAccess does not have a central C&C, making it nearly impossible to be taken down. According to the Microsoft News Center, they “do not expect to fully eliminate ZeroAccess due to the complexity of the threat.” What this means is that ZeroAccess could resume malicious activity at any given moment and, once again, wreak havoc on consumers and online advertisers.

ZeroAccess has the capability of disabling security software, leaving machines infected with the botnet highly vulnerable to other forms of malware. There’s no telling if the botnet operators have spent time engineering new variants of ZeroAccess. That’s why it is critical to prepare your PC in the event a more resilient variant of ZeroAccess is released into the wild.

Protecting against new variants of ZeroAccess
You can prepare your PC by understanding some of the ways ZeroAccess was distributed prior to the December disruption. This way, you can better learn how to avoid being infected in the first place.

One vector for distributing malware is through drive-by-download, a method where malware is silently installed by exploiting vulnerabilities in web browsers, plug-ins, and other components that work within browsers. Drive-by-downloads are so dangerous that even visiting legitimate websites that have been compromised could result in malware being installed onto your PC.

Since drive-by-downloads exploit vulnerabilities in outdated software, one way to prevent malware from drive-by-downloads is to ensure all of your software is up-to-date. This includes your operating system, web browser, and other applications such as Java, Adobe Reader, and Adobe Flash. Software updates patch these vulnerabilities, so whenever there is a newer version of software you’re using, be sure to update.

Social engineering:
Social engineering involves tricking, luring, or frightening users into performing an action. Once a user carries out the desired action, malware is installed on their PC and becomes part of the botnet.

When it comes to social engineering, think before you click. Files from software cracks, keygen websites, or peer-to-peer networks could be intentionally misnamed to lure you into downloading a malicious file. What may seem to be a file for the latest movie could be malware designed to give an attacker remote access to your PC.

Having reputable and up-to-date security software installed on your PC is the first step to protecting against fake antivirus software, a form of social engineering. One way to keep an eye out for fake antivirus is if a “virus alert” immediately scans then reports that your PC has a number of infected files… and then asks you “buy now” to have the malware removed. Most of the time, simply closing the browser is all you need to do. Clicking on the fake antivirus is what could lead to malware being installed on your PC. Ultimately, this may result in theft of your personal information, so familiarize yourself with how your (real) virus scanner looks.

Spam Email:
We’ve all received spam emails before. While most spam ends up in junk folders, there are times when a few might slip by. Some spam is designed to look legitimate, as something we’d expecting to receive. This makes it more likely we click through without thinking twice. However, once you click on spam, you could be redirected to a site where malware is installed (or opening an attachment may download malware onto your PC.)

Similar to social engineering, think before you click. That email notifying you of suspicious activity with your bank account may send you into panic mode, but that is exactly what cyber criminals are banking on. Avoid clicking on links or attachments in emails from unknown senders. Even if the sender is someone you know, check to see if the email is something they actually sent. It could be that their email account had been compromised.

Although ZeroAccess has been disrupted, it has the potential to resume its malicious activity, stronger than before. With millions of dollars at stake for cyber criminals, it is highly unlikely that the disruption in activity has discouraged cyber criminals from future attacks. Being vigilant about what you do online, as well as equipping your PC with updated Antivirus software, will help you stay safe online.

Get ZoneAlarm Extreme Security

Get it now

9 comments on “ZeroAccess Botnet: Is It Preparing Its Next Attack?

  • sheldon minkon says:

    I would add never just update, always choose manulal not auto, and uncheck anything else that will come with the update. And most importantly, make sure you are not being re-directed. READ…READ….. THEN CLICK

    • I agree Sheldon. I always hover over any links and see what appears in the bar at the bottom of the screen. THAT is the real destination.

      • The hover over to show the real URL doesn’t always work. If you have an email reader that displays HTML email they can put in a command that when you hover over the first fake URL they substitute yet another fake URL than the one you really go to. Sol use an email reader that doesn’t display HTML. EIther it all stands out in stark relief where you can see it or you have a white page.

  • I bought software to protect my computer against viruses and other nasties, so why am I being warned to take all these extra precautions? I thought that because I had spent all that money I could stop worrying, secure in the knowledge that if my computer was impregnable to malware, and that even if it were to become infected I could sue in the tort of negligent misstatement (having after all been assured on many occasions that “[my] computer is safe”). Are you now saying I have wasted my money? If so, how do I get a refund? And can I insist upon old fashioned cash – or at worst a cheque – as I obviously cannot trust any on-line banking web-sites.

    • Security must be seen as different layers. You cannot purchase security software and assume it will protect you from everything without you doing your part in being vigilant. It’s like the safety features on your vehicle. Just because you have it, doesn’t mean you can drive recklessly on the road. You need to do your part.

  • cryofreeze666 says:

    so, since this “program”, seems to be directly towards microsoft’s crap gear, as i understand from this article. what are the wonder boys going to do with that bloated piece of swiss cheese crap? i am truly tired of reformatting my hard drive very 4 or 5 months, to make sure i get any programs a simple reinstall might miss.
    i guess my biggest question is this, what are the virus and malware companies doing to find, and remove this program from personal computers should we manage to become infected. i don’t care that it may never truly be removed from the net. you know it’s there, which means you have found it somewhere. are you saying you can’t get your programs to find,block, or remove that program?
    though i’m beginning to wonder if its worth it, since every program you install seems to have some sort of tracking programmed into it. i’m surprised someone hasn’t written a program to take those operations over.

    • Not sure why you need to reformat your hard drive every 4-5 months; that seems excessive and unnecessary. Next, what security companies are doing is constantly analyzing and researching new and existing malware to enhance their security software. It’s up to the user to be vigilant while on the Web, as we as to make sure their security software (as well as operating system and other applications) are all up-to-date. Also, as mentioned in our blog, since ZeroAccess has no centralized C&C, it’s nearly impossible to take it down.

  • I have not reformatted my hard drive in the last 3 years, and when i do i will have only to install my 2 terabytes backup from Acronis. I did a few times during my last 10 years with always full success.

  • I was the target of many attacks in 2014 my router received several cyber attacks on ports 16464 and 16471 use by trojan Sirefef …. Those attacks was made from spoofed (unknown ) IP … only 2 of them i could track … one in Oldenburg Germany and the other one in far away west Trinidad & Tobago islands ….I really think is a gang of professional Hackers behind those persistent attacks …


Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This site uses Akismet to reduce spam. Learn how your comment data is processed.