ZeroAccess Botnet: Is It Preparing Its Next Attack?

• June 18th, 2014
Online Privacy, PC security

In December 2013, Microsoft Digital Crimes Unit, Europol, the FBI, and other technology companies sought to take down one of the world’s largest botnets named ZeroAccess (also known as max++ or Sirefef). While the collaboration led to the disruption of ZeroAccess, the takedown was not fully successful as several servers hosting botnet’s command & control (C&C) continued to remain active.

Ever since its discovery several years ago and leading up to 2013, over two million computers globally had been infected. This led to search results from Google, Bing, and Yahoo! being hijacked, which redirected infected users to malicious websites and in turn, impacted the advertising revenue stream on these search providers. In fact, it is estimated that the cost of click fraud, as a result of ZeroAccess, was upwards of $2.7 million each month for online advertisers.

How ZeroAccess affects consumers
While the December disruption of ZeroAccess impacted the botnet’s ability to continue its assault, it has not yet been completely dismembered. ZeroAccess does not have a central C&C, making it nearly impossible to be taken down. According to the Microsoft News Center, they “do not expect to fully eliminate ZeroAccess due to the complexity of the threat.” What this means is that ZeroAccess could resume malicious activity at any given moment and, once again, wreak havoc on consumers and online advertisers.

ZeroAccess has the capability of disabling security software, leaving machines infected with the botnet highly vulnerable to other forms of malware. There’s no telling if the botnet operators have spent time engineering new variants of ZeroAccess. That’s why it is critical to prepare your PC in the event a more resilient variant of ZeroAccess is released into the wild.

Protecting against new variants of ZeroAccess
You can prepare your PC by understanding some of the ways ZeroAccess was distributed prior to the December disruption. This way, you can better learn how to avoid being infected in the first place.

Drive-by-download:
One vector for distributing malware is through drive-by-download, a method where malware is silently installed by exploiting vulnerabilities in web browsers, plug-ins, and other components that work within browsers. Drive-by-downloads are so dangerous that even visiting legitimate websites that have been compromised could result in malware being installed onto your PC.

Prevention:
Since drive-by-downloads exploit vulnerabilities in outdated software, one way to prevent malware from drive-by-downloads is to ensure all of your software is up-to-date. This includes your operating system, web browser, and other applications such as Java, Adobe Reader, and Adobe Flash. Software updates patch these vulnerabilities, so whenever there is a newer version of software you’re using, be sure to update.

Social engineering:
Social engineering involves tricking, luring, or frightening users into performing an action. Once a user carries out the desired action, malware is installed on their PC and becomes part of the botnet.

Prevention:
When it comes to social engineering, think before you click. Files from software cracks, keygen websites, or peer-to-peer networks could be intentionally misnamed to lure you into downloading a malicious file. What may seem to be a file for the latest movie could be malware designed to give an attacker remote access to your PC.

Having reputable and up-to-date security software installed on your PC is the first step to protecting against fake antivirus software, a form of social engineering. One way to keep an eye out for fake antivirus is if a “virus alert” immediately scans then reports that your PC has a number of infected files… and then asks you “buy now” to have the malware removed. Most of the time, simply closing the browser is all you need to do. Clicking on the fake antivirus is what could lead to malware being installed on your PC. Ultimately, this may result in theft of your personal information, so familiarize yourself with how your (real) virus scanner looks.

Spam Email:
We’ve all received spam emails before. While most spam ends up in junk folders, there are times when a few might slip by. Some spam is designed to look legitimate, as something we’d expecting to receive. This makes it more likely we click through without thinking twice. However, once you click on spam, you could be redirected to a site where malware is installed (or opening an attachment may download malware onto your PC.)

Prevention:
Similar to social engineering, think before you click. That email notifying you of suspicious activity with your bank account may send you into panic mode, but that is exactly what cyber criminals are banking on. Avoid clicking on links or attachments in emails from unknown senders. Even if the sender is someone you know, check to see if the email is something they actually sent. It could be that their email account had been compromised.

Although ZeroAccess has been disrupted, it has the potential to resume its malicious activity, stronger than before. With millions of dollars at stake for cyber criminals, it is highly unlikely that the disruption in activity has discouraged cyber criminals from future attacks. Being vigilant about what you do online, as well as equipping your PC with updated Antivirus software, will help you stay safe online.