After Takeover, Botnet Abandoned

Monday, December 23, 2013 @ 10:12 AM gHale

Bad guys abandoned the Zero Access botnet after Microsoft took it over, researchers said.

As a part of the takeover process, Microsoft focused its efforts on the botnet’s fraud component. Shortly after the software giant’s disruption efforts, attackers started sending out new instructions to computers infected with ZeroAccess in an effort to continue their scheme.

DDoS Botnet via Poland
Mozilla Blocks Botnet Add-on
Mobile Botnet a Busy Application
Despite Arrest, RAT Usage Grows

However, since the authorities were watching all the bad guy’s moves, Microsoft was able to identify the new IP addresses used. Europol’s European Cybercrime Center (EC3) coordinated law enforcement from various countries to track the new IPs.

Law enforcement agencies from the Netherlands, Latvia, Switzerland and Luxembourg, led by Germany’s Federal Police, took part in the disruption efforts.

Shortly after, the cybercriminals pushed out a new update that included the message “WHITE FLAG,” which Microsoft believes indicates the cybercriminals are giving up.

“Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud,” said Richard Domingues Boscovich, assistant general counsel at Microsoft’s Digital Crimes Unit, in a blog post.

When the Redmond, WA-based software giant said it took control of ZeroAccess, it also filed a civil lawsuit against 8 unidentified individuals suspected of operating the botnet.

Because the cybercriminals abandoned their botnet, the U.S. District Court for the Western District of Texas could close the case in order to allow authorities to continue their investigation.

Those who fear their computers have ZeroAccess malware should review the instructions provided by Microsoft on how to clean up the infection.

Leave a Reply

You must be logged in to post a comment.