White hats exploit flaw to sinkhole leviathan click fraud botnet

By on
White hats exploit flaw to sinkhole leviathan click fraud botnet

Race to beat the ZeroAccess patch.

Half a million bots enslaved by the highly profitable ZeroAccess botnet have been sinkholed ahead of a pending patch that would have made the strike impossible, Symantec reports.

The botnet was one of the world's largest and made a killing by using its army of almost 2 million infected computer nodes to run illegitimate clicks through online advertising.

ZeroAccess was hard to tackle because infected machines would constantly send instructions and peer lists over peer-to-peer networks.

Symantec's hand was forced after researchers, planning on collaborating with law enforcement for the takedown, saw an update pushed out 29 June over the ZeroAccess P2P pipeline that would close a dangerous flaw.

In May, Symantec reported that a vulnerability in the UDP P2P protocol meant bots connected to only a small number of internal peers which exposed the botnet to sinkholing - a mechanism that interrupted the DNS names a bot would use. 

It suspected the botnet authors had closed the hole in response to the report.

Between the time of the report and the trojan update, Symantec had been running simulations of the sinkholing effort. It took an average of five minutes to sinkhole a bot.

"We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster," Symantec researchers wrote in a blog.

"The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed."

The ZeroAccess malware was a sophisticated trojan that used a rootkit to conceal its presence.

Cash cow

ZeroAccess was thought to make its eastern European owners tens of millions of dollars a year through click-fraud.

Symantec estimated each infected machine produced 1000 ad clicks and 6.1Gb of data each day.

The fake clicks had become the driving effort behind ZeroAccess after BitCoin mining functionality was dumped earlier this year. The reasons for the switch were unknown but mining for BitCoins  may have become more overt since it was increasingly compute resource-intensive and often required use of dedicated hardware.

Symantec said the collective power required for every ZeroAccess node to constantly mine for BitCoins would be enough to power 111,000 homes.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
bitcoin malware p2p research security symantec trojan zeroaccess
In Partnership With

Most Read Articles

Australia gets world-first encryption busting laws

Australia gets world-first encryption busting laws
Defence turns on billion-dollar Telstra comms network

Defence turns on billion-dollar Telstra comms network
NAB's public cloud expansion ran without internal IT staff

NAB's public cloud expansion ran without internal IT staff
ATO prepares massive IT outsourcing shake-up

ATO prepares massive IT outsourcing shake-up
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider

Events

Log In

Username / Email:
Password:
  |  Forgot your password?