White hats exploit flaw to sinkhole leviathan click fraud botnet

By on
White hats exploit flaw to sinkhole leviathan click fraud botnet

Race to beat the ZeroAccess patch.

Half a million bots enslaved by the highly profitable ZeroAccess botnet have been sinkholed ahead of a pending patch that would have made the strike impossible, Symantec reports.

The botnet was one of the world's largest and made a killing by using its army of almost 2 million infected computer nodes to run illegitimate clicks through online advertising.

ZeroAccess was hard to tackle because infected machines would constantly send instructions and peer lists over peer-to-peer networks.

Symantec's hand was forced after researchers, planning on collaborating with law enforcement for the takedown, saw an update pushed out 29 June over the ZeroAccess P2P pipeline that would close a dangerous flaw.

In May, Symantec reported that a vulnerability in the UDP P2P protocol meant bots connected to only a small number of internal peers which exposed the botnet to sinkholing - a mechanism that interrupted the DNS names a bot would use. 

It suspected the botnet authors had closed the hole in response to the report.

Between the time of the report and the trojan update, Symantec had been running simulations of the sinkholing effort. It took an average of five minutes to sinkhole a bot.

"We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster," Symantec researchers wrote in a blog.

"The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed."

The ZeroAccess malware was a sophisticated trojan that used a rootkit to conceal its presence.

Cash cow

ZeroAccess was thought to make its eastern European owners tens of millions of dollars a year through click-fraud.

Symantec estimated each infected machine produced 1000 ad clicks and 6.1Gb of data each day.

The fake clicks had become the driving effort behind ZeroAccess after BitCoin mining functionality was dumped earlier this year. The reasons for the switch were unknown but mining for BitCoins  may have become more overt since it was increasingly compute resource-intensive and often required use of dedicated hardware.

Symantec said the collective power required for every ZeroAccess node to constantly mine for BitCoins would be enough to power 111,000 homes.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
bitcoin malware p2p research security symantec trojan zeroaccess
In Partnership With

Most Read Articles

NSW puts digital driver's licence on a blockchain

NSW puts digital driver's licence on a blockchain
ANZ breaks out LEGO to bust staff silos

ANZ breaks out LEGO to bust staff silos
UNSW researchers find FTTP NBN worth the extra billions

UNSW researchers find FTTP NBN worth the extra billions
ANZ digital chief Maile Carnegie frets over human obsolescence

ANZ digital chief Maile Carnegie frets over human obsolescence
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report

Events

Log In

Username / Email:
Password:
  |  Forgot your password?