White hats exploit flaw to sinkhole leviathan click fraud botnet

By on
White hats exploit flaw to sinkhole leviathan click fraud botnet

Race to beat the ZeroAccess patch.

Half a million bots enslaved by the highly profitable ZeroAccess botnet have been sinkholed ahead of a pending patch that would have made the strike impossible, Symantec reports.

The botnet was one of the world's largest and made a killing by using its army of almost 2 million infected computer nodes to run illegitimate clicks through online advertising.

ZeroAccess was hard to tackle because infected machines would constantly send instructions and peer lists over peer-to-peer networks.

Symantec's hand was forced after researchers, planning on collaborating with law enforcement for the takedown, saw an update pushed out 29 June over the ZeroAccess P2P pipeline that would close a dangerous flaw.

In May, Symantec reported that a vulnerability in the UDP P2P protocol meant bots connected to only a small number of internal peers which exposed the botnet to sinkholing - a mechanism that interrupted the DNS names a bot would use. 

It suspected the botnet authors had closed the hole in response to the report.

Between the time of the report and the trojan update, Symantec had been running simulations of the sinkholing effort. It took an average of five minutes to sinkhole a bot.

"We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster," Symantec researchers wrote in a blog.

"The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed."

The ZeroAccess malware was a sophisticated trojan that used a rootkit to conceal its presence.

Cash cow

ZeroAccess was thought to make its eastern European owners tens of millions of dollars a year through click-fraud.

Symantec estimated each infected machine produced 1000 ad clicks and 6.1Gb of data each day.

The fake clicks had become the driving effort behind ZeroAccess after BitCoin mining functionality was dumped earlier this year. The reasons for the switch were unknown but mining for BitCoins  may have become more overt since it was increasingly compute resource-intensive and often required use of dedicated hardware.

Symantec said the collective power required for every ZeroAccess node to constantly mine for BitCoins would be enough to power 111,000 homes.

Got a news tip for our journalists? Share it with us anonymously here.

Copyright © SC Magazine, Australia


Most Read Articles

Log In

  |  Forgot your password?