ZeroAccess Bot-Herders Experience Detachment of their Bots following Sinkholing

Security experts at Symantec the security company recently carried out a "sinkholing" activity that proved disastrous for ZeroAccess bot-herders. The network of bots, possibly the biggest, slipped from its herders' control when over one-quarter devices in it were severed from the bot-network owing to the sinkholing operation.

Symantec explains that Botnet ZeroAccess comprised over 1.9m contaminated PCs while it was utilized basically for click fraud scams as well as Bitcoin harvesting that yielded the cyber-criminals many millions of USDs every annum.

Moreover, aside having a most enormous size, ZeroAccess is further interesting because of its P2P (peer-to-peer) central C&C (command-and-control) server for exchanging messages, which poses hazards in its disruption.

Starting March 2013, Symantec investigators remained busy examining the botnet so they could find certain method for sinkholing it. And soon when a theory was formulated regarding the way for attaining that objective, ZeroAccess owners unleashed one fresh version on 29th June 2013.

The attack mode that Symantec at first thought out, however, didn't prove successful on the malware's fresh variant. Perhaps, the fresh ZeroAccess edition's unleashing got prompted following one study paper issued during May 2013 that detailed how the P2P technology was actually weak.

The investigators also, as a result, conducted the sinkholing operation and impaired the maximum possible number of bots prior to the fresh edition's complete release.

In their company blog, Symantec posted that the operation fast led to a massive number of bots' detachment thus, significantly reducing the total count of infected machines that ZeroAccess' herders originally controlled. When researchers conducted the tests, there was merely a mean of 5 min spanned peer-to-peer activity prior to an additional bot-infected computer being sinkholed, the security company posted. Theinquirer.net published this dated September 30, 2013.

However, from past experiences of botnet dismantling, such malicious networks don't ever truly die for they're simply reinvented, rebuilt, or retooled. Security Researcher Vikram Thakur from Symantec states that ZeroAccess' shutdown nevertheless, is different. This incident has law enforcement dealing with it. Therefore, hopefully, the bot-herders will never really recover their loss, Mr. Thakur adds. Darkreading.com published this dated September 30, 2013.

» SPAMfighter News - 10/8/2013