ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet mostly involved in bitcoin mining and click fraud, while remaining hidden on a system using rootkit techniques.
Contents
History and propagation
The ZeroAccess botnet was discovered at least around May 2011. The ZeroAccess rootkit responsible for the botnet's spread is estimated to have been present on at least 9 million systems. Estimates of the size of the botnet vary across sources; antivirus vendor Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, and security firm Kindsight estimated 2.2 million infected and active systems.
The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as, for example, bypassing copyright protection (a keygen). A second attack vector utilizes an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.
In December 2013 a coalition led by Microsoft moved to destroy the command and control network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer command and control component was unaffected - meaning the botnet could still be updated at will.
Operation
Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations: bitcoin mining or Click fraud. Machines involved in bitcoin mining generate bitcoins for their controller, the estimated worth of which was estimated at 2.7 million US dollars per year in September 2012. The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as 100,000 US dollars per day, costing advertisers $900,000 a day in fraudulent clicks. Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:WindowsSystem32Drivers giving it total control over the operating system. It also disables the Windows Security Center, Firewall, and Windows Defender from the operating system. ZeroAccess also hooks itself into the tcp/ip stack to help with the click fraud.
The software also looks for the Tidserv malware and removes it if it finds it.