ZeroAccess, also known as max++ and Sirefef is a trojan horse that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.
History and propagationEdit
The ZeroAccess botnet was originally discovered around July 2011. The ZeroAccess Rootkit responsible for the botnet spread is estimated to have been present on at least 9 million systems. The current size of the botnet varies across sources. Antivirus vendor Sophos estimates the current botnet size at around 1 million active and infected machines, while security firm Kindsight places the estimate at 2.2 million infected and active systems.
The botnet itself is spread through the ZeroAccess rootkit through a variety of attack vectors. The first attack vector is a form of Social engineering where a user is expected to start an executable willingly, masquerading it as a legitimate piece of software or packing it alongside an executable used for bypassing copyright protection (Such as a keygen). The second attack vector utilizes Advertising network in order to have user click on an advertisement that will, in turn, redirect them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system, in exchange for a set amount of cash per successful installation.
Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: Bitcoin mining or Click fraud. The machines involving themselves in bitcoin mining will generate Bitcoins for their owner, which estimated worth is valued 2.7 million US dollars a year. The machines used for click fraud will simulate clicks on website advertisements which are often operated on a Pay per click basis. The estimated profit for this activity may be as high as 100,000 us dollars a day, while costing advertisers a total of 900,000 a day in fraudulent clicks.
- Analysis of the ZeroAccess botnet, created by Sophos.
- ZeroAccess Botnet, Kindsight Security Labs.
- New C&C Protocol for ZeroAccess, Kindsight Security Labs.
<ref>tags exist, but no
<references/>tag was found