Microsoft disrupts botnet that generated $2.7M per month for operators

[silicon_toad2000]

http://arstechnica.com/security/2013/12/microsoft-disrupts-botnet-that-generated-2-7m-per-month-for-operators/

On Thursday, Microsoft's Digital Crimes Unit, the legal and technical team that has driven the takedown of botnets such as Bamital and Nitol during the past year, announced that it has moved with Europol, industry partners, and the FBI to disrupt yet another search fraud botnet. The ZeroAccess botnet, also known as ZAccess or Siref, has taken over approximately 2 million PCs worldwide; Microsoft estimates that it has cost search engine advertisers on Google, Bing, and Yahoo over $2.7 million each month.

Further Reading
Massive search fraud botnet seized by Microsoft and Symantec

Hundreds of thousands of Bamital bots made ring of 18 operators over $1M a year.
According to security reporter Brian Krebs, ZeroAccess began its life cycle in 2009 as a delivery network for other malware—dropping paying customers' viruses and Trojans, including "scareware" fake antivirus packages—onto PCs it had successfully infected. But since then, it has evolved into a "clickfraud" platform—intercepting search requests from the user's Web browser and injecting fraudulent hyperlinks into the results returned from major search sites. The botnet operators get paid through advertising networks for the traffic sent to the sites as if the user had clicked on a legitimate ad.

After identifying the IP addresses of 18 command-and-control servers involved in directing ZeroAccess, Microsoft filed civil lawsuits last week against the botnet operators in the US District Court for the Western District of Texas. The court gave Microsoft permission in court to block traffic between them and PCs in the US using technology provided by networking vendor A10 Networks.

As Microsoft executed the traffic block, Europol's European Cybercrime Center in Germany coordinated law enforcement raids on the locations of those IP addresses, resulting in the seizure of the servers involved. Law enforcement in Latvia, Germany, Switzerland, and Luxembourg were involved in the seizures.

[youtube]http://www.youtube.com/watch?feature=player_embedded&v=BFxgzjL-el0[/youtube]

[silicon_toad2000]

Update:  According to analysis from researchers at Damballa, the Microsoft attempt at takedown of ZeroAccess' C&C infrastructure was a failure, because it left a significant number of servers still active. By the estimates of researcher Yacin Nadji and Damballa chief scientist Manos Antonakakis, 62 percent of the C&C infrastructure remained active after the 18 identified IP addresses were taken down. In a blog post, the researchers noted that even if Microsoft had been effective in taking down all of the C&C infrastructure, the botnet would be able to continue to operate unless the P2P communications were disrupted as well. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations," they wrote in a blog post to be published today. "This extensive legal work can be undone in a matter of hours."

As a result, taking the servers down may only temporarily disrupt the flow of clicks (and corresponding flow of cash). Microsoft hopes that by taking down the servers, it will be able to identify which advertising affiliates and publishers were tied to the botnet operators by their sudden drop in sent traffic.