Microsoft, FBI, Int'l Law Agencies Work Together To Disrupt Botnets

Microsoft announced yesterday that its Digital Crimes Unit has successfully disrupted ZeroAccess, one of the world's largest botnets. Their action was taken in collaboration with Europol's European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI) and other industry partners.

ZeroAccess isn’t a spam-generating machine like other big botnets (like Grum and Waledac) Microsoft has helped take down. Instead, ZeroAccess hijacks search requests and advertising links. It routes them away from sites like Google and Bing and toward less reputable — and often malicious  sites. ZeroAccess employs a peer-to-peer (P2P) architecture in which new instructions and payloads are distributed from one infected host to another. P2P-based botnets are designed to eliminate a single point of failure, so that if one node used to control the botnet is knocked offline, the remainder of the botnet can still function.

The actions this week appear to have targeted the servers that deliver a specific component of ZeroAccess that gives infected systems new instructions on how to defraud various online advertisers  including Microsoft. While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred.

Victim's computers usually fall prey to ZeroAccess either as the result of a drive-by download or from the installation of pirated software.

Once on a system it can steals the user's personal information, generate fake clicks on web ads and hijack their web search results.

Microsoft filed a lawsuit against the botnet's masterminds last week and secured an injunction blocking all communications between computers in the US and 18 specific IP addresses that had been identified in association with the botnet. The company also took control of 49 domains associated with ZeroAccess.

As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agencies in Germany, Latvia, Luxembourg, the Netherlands and Switzerland to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.

This is Microsoft's eighth action against botnets in the last three years and the second time in six months that it has worked with law enforcement to disrupt such a high profile threat (in June of this year a collaborative effort saw the take down of over 1,000 separate botnets associated with the Citadel crimeware kit).

This latest action is especially notable though as it represents a rare instance of serious damage being done to a botnet that is controlled via a peer-to-peer system, whereby infected machines send each other instructions instead of being directed by a central server which could be targeted and disabled with much more ease.

Although this is a victory to be celebrated it does not, regrettably, mean the end of ZeroAccess.

The servers targeted in this intervention are associated with the click fraud element of the software. Taking them down will undoubtedly cause disruption and a loss of revenue to the people behind ZeroAccess but the botnet itself is still in tact.

Indeed, Microsoft and their partners recognised this in saying in that they "do not expect to fully eliminate the ZeroAccess botnet due to the complexity of the threat." The botnet busters do, however, "expect that this action will significantly disrupt the botnet’s operation."

If you'd like to do your bit to help rid the world of botnets like ZeroAccess then prevention is easier than cure; you can make a big difference just by doing 3 essential security tasks for your family today.