Not a Lexis Advance subscriber? Try it out for free.

Financial Fraud Law

ZeroAccess Botnet is ‘Disrupted,” Microsoft Says

 The Microsoft Digital Crimes Unit said that it has successfully disrupted a rampant botnet in collaboration with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI), and other technology companies, including A10 Networks Inc.

According to Microsoft, the Sirefef botnet, also known as ZeroAccess, is responsible for infecting more than two million computers, specifically targeting search results on Google, Bing, and Yahoo search engines, and is estimated to cost online advertisers $2.7 million each month. The company said that the action was expected to significantly disrupt the botnet’s operation, increasing the cost and risk for cybercriminals to continue doing business and preventing victims’ computers from committing fraudulent schemes. 

This is Microsoft’s first botnet action since the November 14 unveiling of its new Cybercrime Center and marks the company’s eighth botnet operation in the past three years. Similar to Microsoft’s Citadel botnet case, the ZeroAccess case is part of an extensive cooperative effort with international law enforcement and industry partners to dismantle cybercriminal networks. 

“This operation marks an important step in coordinated actions that are initiated by private companies and, at the same time, enable law enforcement agencies around Europe to identify and investigate the criminal organizations and networks behind these dangerous botnets that use malicious software to gain illicit profits,” said Troels Oerting, head of the EC3. “EC3 added its expertise, information communications technology infrastructure and analytic capability, as well as provided the platform for high-level cooperation between cybercrime units in five European countries and Microsoft.”

Microsoft said that due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allowed cybercriminals to remotely control the botnet from tens of thousands of different computers. ZeroAccess is used to commit a slew of crimes, including search hijacking, which “hijacks” people’s search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks, according to Microsoft. ZeroAccess also commits click fraud, which occurs when advertisers pay for clicks that are not the result of legitimate, interested human users’ clicks, but are the result of automated Web traffic and other criminal activity, Microsoft added.

Research by the University of California, San Diego showed that as of October 2013, 1.9 million computers were infected with ZeroAccess, and Microsoft determined there were more than 800,000 ZeroAccess-infected computers active on the Internet on any given day.

“The coordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” said David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit. “Microsoft is committed to working collaboratively — with our customers, partners, academic experts and law enforcement — to combat cybercrime. And we’ll do everything we can to protect computer users from the sinister activities and criminal networks that victimize innocent people and businesses around the world.” 

Last week, Microsoft filed a civil suit against the alleged cybercriminals operating the ZeroAccess botnet and received authorization from the U.S. District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the U.S. and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes. In addition, Microsoft took over control of 49 domains associated with the ZeroAccess botnet. A10 Networks provided Microsoft with advanced technology to support the disruptive action.

As Microsoft executed the order filed in its civil case, Europol coordinated a multijurisdictional criminal action targeting the 18 IP addresses located in Europe. Specifically, Europol worked with Latvia, Luxembourg, Switzerland, the Netherlands, and Germany to execute search warrants and seizures on computer servers associated with the fraudulent IP addresses located in Europe.

This is the second time in six months that Microsoft and law enforcement have worked together to successfully disrupt a prevalent botnet. 

“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” FBI Executive Assistant Director Richard McFeely said. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”

Microsoft said that it and its partners do not expect to fully eliminate the ZeroAccess botnet due to the complexity of the threat. However, Microsoft said, it expects that this action will significantly disrupt the botnet’s operation. Microsoft added that it is working with ecosystem partners around the world to notify people if their computers are infected and will make this information available through its Cyber Threat Intelligence Program (C-TIP). ZeroAccess is very sophisticated malware, blocking attempts to remove it, and Microsoft therefore recommended that people visit http://support.microsoft.com/botnets for detailed instructions on how to remove this threat. Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it said that it is critical that victims rid their computers of ZeroAccess by using malware removal or antivirus software as quickly as possible. Europol is also providing information on its website about botnets to educate the public on how to protect themselves.

 Contact the author at smeyerow@optonline.net

For more information about LexisNexis products and solutions connect with us through our corporate site.