We take bots down, but they get up again – you're never going to keep them down
Dell analysis shows ZeroAccess botnet still slinging out
A combined attack on one of the world's biggest networks of infected PCs has been partially successful: analysis from Dell SecureWorks shows you can't keep a bad botnet down.
In 2013 infosec bods and the feds together disrupted the ZeroAccess network, which used a remotely controlled collection of more than two million slaved computers to rake in millions of dollars in advertising click fraud.
In October of that year Symantec wounded the botnet by interfering with the encrypted peer-to-peer communications used to control the hijacked PCs. The security biz managed to round up and clean about half a million of the Windows machines compromised by the ZeroAccess malware, which was masterminded by criminals from afar.
Two months later Microsoft, in conjunction with Euro cops and the FBI took this a stage further. Police raided data centers across the world, and injected code into software running on the botnet's command servers to deal a fatal blow to the ZeroAccess empire.
But this week, Team Dell has found that within four months of that 2013 offensive, the ZeroAccess controllers had managed to reactivate a fraction of the botnet and continue their criminal operations ever since.
The botnet appeared to span 55,208 unique IP addresses between January 17 and January 25 this year: 38,094 32-bit Windows hosts and 17,114 using its 64-bit cousin.
"I do think the initial disruption of ZeroAccess was successful; it was a tremendous reduction in the amount of systems the botnet used," Jeff Williams, director of security strategy at Dell SecureWork's Counter Threats Unit, told The Register.
"At the same time, we have to recognize that the parties running the botnet have a clear financial motive and that hasn't gone away. There is still money to be made."
One encouraging fact, Williams noted, was that the botnet controllers aren't trying to grow the number of infected systems under their control. He speculated that this was because they were trying to keep under the radar and make money from ZeroAccess without causing a fuss.
When it comes to the location of the slaved systems, over a quarter are in Japan, with India and Russia the next most common IP addresses found. None of these country's law enforcement agencies took part in the original disruption attacks and this may have given the criminals a bright idea.
However, it does seem that organized takedowns or disruption of botnets is having an effect. Networks are shrinking as criminals seek to stay in the shadows while still coining cash.
"If we've learned one thing about malware, it's that businesses and consumers can never let their guard down," a Microsoft spokesperson told El Reg.
"Despite the successful disruption of the ZeroAccess botnet, cybercriminals will continue to search for ways to commit advertising fraud, or to trick consumers into sharing personal and financial information. That's why we strongly encourage consumers to periodically run security scans and to make sure their antivirus software is up to date." ®