White hats exploit flaw to sinkhole leviathan click fraud botnet

By on
White hats exploit flaw to sinkhole leviathan click fraud botnet

Race to beat the ZeroAccess patch.

Half a million bots enslaved by the highly profitable ZeroAccess botnet have been sinkholed ahead of a pending patch that would have made the strike impossible, Symantec reports.

The botnet was one of the world's largest and made a killing by using its army of almost 2 million infected computer nodes to run illegitimate clicks through online advertising.

ZeroAccess was hard to tackle because infected machines would constantly send instructions and peer lists over peer-to-peer networks.

Symantec's hand was forced after researchers, planning on collaborating with law enforcement for the takedown, saw an update pushed out 29 June over the ZeroAccess P2P pipeline that would close a dangerous flaw.

In May, Symantec reported that a vulnerability in the UDP P2P protocol meant bots connected to only a small number of internal peers which exposed the botnet to sinkholing - a mechanism that interrupted the DNS names a bot would use. 

It suspected the botnet authors had closed the hole in response to the report.

Between the time of the report and the trojan update, Symantec had been running simulations of the sinkholing effort. It took an average of five minutes to sinkhole a bot.

"We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster," Symantec researchers wrote in a blog.

"The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed."

The ZeroAccess malware was a sophisticated trojan that used a rootkit to conceal its presence.

Cash cow

ZeroAccess was thought to make its eastern European owners tens of millions of dollars a year through click-fraud.

Symantec estimated each infected machine produced 1000 ad clicks and 6.1Gb of data each day.

The fake clicks had become the driving effort behind ZeroAccess after BitCoin mining functionality was dumped earlier this year. The reasons for the switch were unknown but mining for BitCoins  may have become more overt since it was increasingly compute resource-intensive and often required use of dedicated hardware.

Symantec said the collective power required for every ZeroAccess node to constantly mine for BitCoins would be enough to power 111,000 homes.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia

Tags:
bitcoin malware p2p research security symantec trojan zeroaccess

Most Read Articles

Telstra to have Australian agents answer all inbound calls from 2022

Telstra to have Australian agents answer all inbound calls from 2022
Critical F5 BIG-IP vulnerability made public

Critical F5 BIG-IP vulnerability made public
CBA hit by nine-hour online banking, payments outage

CBA hit by nine-hour online banking, payments outage
Govt ponders new sovereignty rules for datasets

Govt ponders new sovereignty rules for datasets
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Get IT, finance and business on the same page
Get IT, finance and business on the same page
Why is DevSecOps important to your business?
Why is DevSecOps important to your business?
Architecting Hybrid IT & Edge for Digital Advantage
Architecting Hybrid IT & Edge for Digital Advantage
Organizations Increasing Their Adoption of NFV
Organizations Increasing Their Adoption of NFV
Modernise IT by Reducing Your Reliance on AD
Modernise IT by Reducing Your Reliance on AD

Events

Log In

Username / Email:
Password:
  |  Forgot your password?