Symantec uses vulnerability to take out part of the ZeroAccess botnet

Symantec has announced that they’ve successfully taken down a significant part of the ZeroAccess botnet, by exploiting a weakness discovered in its code.

The ZeroAccess botnet has existed in one form or another since 2010, last September, security vendor Sophos reported that the executable for ZeroAccess had been downloaded approximately 9 million times, and Kindsight, a network-based security and analytics vendor, reported that 2.2 million home networks were infected by the botnet as of Q3 2012.

ZeroAccess spreads via exploit kits, usually after victims have followed a link in email or downloaded pirated software or Warez (key generators or software cracks). The botnet is a virtual money machine, as the primary focus is Bitcoin mining and click-fraud. The rapid spread of the botnet is due largely to the fact that its operator’s PPI (Pay-Per-Install) program pays handsomely.

[70 percent of business users vulnerable to latest Internet Explorer Zero-Day]

In August, Symantec observed that ZeroAccess was running a network of 1.9 million bots, while this number is lower than what was estimated in the second half of 2012, it still equates to nearly $2,100 a day in Bitcoin earnings, and costing advertisers nearly $1 million in lost earnings.

The botnet itself runs on a Peer-2-Peer command and control architecture, making the task of taking it down rather difficult. As each newly infected host comes online, it reaches out to other infected hosts to exchange details about other peers on the network (the botnet itself in this case), allowing them to propagate files and instructions quickly and efficiently.

Symantec struggled with the task of taking ZeroAccess offline for some time, but the P2P architecture, as mentioned, made the task a tricky one. However, earlier this year Symantec engineers noticed a weakness that offered a difficult, but not impossible, method to sinkhole the botnet.

“We conducted further tests in our controlled labs and found a practical way to liberate peers from the botmaster,” Symantec explains in a blog post.

“During this time, we continued to monitor the botnet and on June 29, we noticed that a new version of ZeroAccess being distributed through the peer-to-peer network. The updated version contained a number of changes but, crucially, it contained modifications that address the design flaws that made the botnet vulnerable to being sinkholed.”

On July 16, Symantec began exploiting the weakness, taking down some 500,000 bots in the process. In tests, Symantec said that it took an average of just five minutes of P2P communication before another bot was sinkholed and removed from the ZeroAccess network.

“What this exercise has shown is that despite the resilient P2P architecture of the ZeroAccess botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes,” Symantec’s post added.

Going forward, Symantec says they are working with ISPs and CERTS across the globe to share information and clean the infected systems. The full post on the takedown is here .