The ZeroAccess botnet, which has control of around two million endpoints, has begun to be sinkholed with around a quarter of its connections removed.
The actions by Symantec researchers, after it found a weakness that offered a complicated method to sinkhole the botnet, have allowed it to detach over half a million PCs in only five minutes.
In its work, Symantec spotted the flaw in an update in its peer-to-peer command and control (C&C) architecture, a key feature of the botnet as it does not have a central server, making it harder to sinkhole and bring under lawful control.
Upon infection, the Trojan opens a back door and connects to a (C&C) server, which allows the remote attacker access to the compromised computer. The attacker is then able to perform any number of actions on the computer.
According to Symantec, ZeroAccess bots become aware of other peers and can propagate instructions and files throughout the network quickly and efficiently with constant communication between peers. ZeroAccess ensures that each peer continuously connects with other peers to exchange peer lists and check for updated files, making it highly resistant to any take-down attempts.
Among its main activities are Bitcoin mining and click-fraud Trojan distribution, which downloads online advertisements and generates artificial clicks on the ads, paying out in pay-per-click affiliate schemes.
Symantec previously rated ZeroAccess with a “high” wild level, “medium” damage level and “easy” threat containment. Now, it is working with ISPs and global CERTs to share information and help get infected computers cleaned.
Alan Neville, threat intelligence analyst at Symantec, said: “By sinkholing this botnet Symantec has taken the first step in neutralising this threat by removing control from the attackers. Symantec is now sharing information about infected bots with ISPs and CERTs who can assist in cleaning up infected machines. A number of these are still under the botmaster’s control, however, network owners are being provided with information which will assist them in remediating these computers.
“With regards to the remaining 50 per cent of the botnet, Symantec is sharing reliable network signatures which could be used by network operators to identify clients that are infected with ZeroAccess and we are continuing to research how to impact the upgraded part of ZeroAccess infections.”
