Update: According to analysis from researchers at Damballa, the Microsoft attempt at takedown of ZeroAccess' C&C infrastructure was a failure, because it left a significant number of servers still active. By the estimates of researcher Yacin Nadji and Damballa chief scientist Manos Antonakakis, 62 percent of the C&C infrastructure remained active after the 18 identified IP addresses were taken down. In a blog post, the researchers noted that even if Microsoft had been effective in taking down all of the C&C infrastructure, the botnet would be able to continue to operate unless the P2P communications were disrupted as well. "Disabling the click-fraud component is trivially countered by the botmaster by simply pushing an updated binary over the P2P channel with fresh click-fraud configurations," they wrote in a blog post to be published today. "This extensive legal work can be undone in a matter of hours."
As a result, taking the servers down may only temporarily disrupt the flow of clicks (and corresponding flow of cash). Microsoft hopes that by taking down the servers, it will be able to identify which advertising affiliates and publishers were tied to the botnet operators by their sudden drop in sent traffic.