Once Stalled, Botnet Fires Back Up

Friday, January 30, 2015 @ 04:01 PM gHale

After six months, the ZeroAccess botnet, also known as Sirefet, is back, albeit at a smaller scale than it was a couple years ago.

Researchers at Dell SecureWorks Counter Threat Unit found new activity by the once-disrupted botnet. ZeroAccess is actually two peer-to-peer botnets — one for 32-bit Windows, one for 64-bit — that both manipulate all major search engines and web browsers. Historically, it hijacked search results, directing users to malicious sites or fraudulently charging businesses for extra clicks on their ads.

Ransomware Upgrade Brings New Offerings
Ransomware Upgrades to V3.0
Ransomware Goes 64-Bit
Ransomware Morphs into Other Forms

Just over a year ago, in December 2013, Microsoft, Europol, and the FBI teamed to disrupt ZeroAccess. At that time the botnet had infected nearly 2 million computers all over the world and was costing online advertisers $2.7 million a month.

The botnet resurfaced a few months later, and was active between March 21 and July 2. It was silent again until Jan. 15, according to SecureWorks, when infected machines began receiving URLs for click-fraud template servers controlled by attackers.

The botnet is not what it once was, researchers said. ZeroAccess administrators did not attempt to expand the botnet after the big disruption in December 2013. They’re simply re-using whatever hosts they had left.

So, instead of 2 million nodes, ZeroAccess now has 55,000. The bulk of them are in Japan, India, and Russia. Only 2,540 are in the United States.

Leave a Reply

You must be logged in to post a comment.