ZeroAccess Web Fraud Botnet Disrupted by Microsoft

Posted by on Dec 6, 2013 in Uncategorized | 0 comments

ZeroAccess Web Fraud Botnet Disrupted by Microsoft

One of the worlds largest botnets; ZeroAccess has been disrupted by law enforcement agencies and Microsoft. ZeroAccess is a network of computers infected with malware, designed to trigger online fraud.

Two million users who have been infected with the malware experience hijacked web search results, as well as redirects to potentially dangerous sites to steal their details.

As well as this, the payload also uses the host machine’s processing power to generate bitcoins or fraudulent ad clicks on infected workstations and then requests payouts from conned advertisers.

This botnet is also called Sirefef and max++ and targets the major search engines including Yahoo, Bing, Google. The total cost to online advertisers has been estimated to be around £1.7 million per month!


Microsoft has been quoted as saying they have been authorised by US regulators to “block incoming and outgoing communications between computers located in the US and the 18 identified Internet Protocol (IP) addresses being used to commit the fraudulent schemes”.

As part of the disruption process, Microsoft have also taken control of 49 domain names connected to the ZeroAccess botnet.

David Finn, executive director of Microsoft Digital Crimes Unit, said the disruption “will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection”.

Typically, Zeroaccess infects the Master Boot Record (MBR) of the infected machine. It may alternatively infect a random driver in C:\Windows\System32\Drivers, giving it total control over the operating system[citation needed]. It also disables the Windows Security Centre, removing the Security Centre service, Firewall and Defender, from Windows 7. This can be repaired by using a program named “sfc”. An infected MBR, if the standard one is used, can be replaced by an uninfected copy using standard techniques.

Communication over the bot net is spread via other infected machines instead of receiving instruction from a few servers. This makes this botnet more difficult to stop due to the lack of a central command and control server.

According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October this year.

“Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today and was built to be resilient to disruption efforts,” Microsoft said.

However, the firm said its latest action is “expected to significantly disrupt the botnet’s operation, increasing the cost and risk for cyber criminals to continue doing business and preventing victims’ computers from committing fraudulent schemes”.

Microsoft said its Digital Crimes Unit collaborated with the US Federal Bureau of Investigation (FBI) and Europol’s European Cybercrime Centre (EC3) to disrupt the operations.

Earlier this year, security firm Symantec said it had disabled nearly 500,000 computers infected by ZeroAccess and taken them out of the botnet.

If you feel your computer has been infected with this malware, or something similar, GiraffeDog can help clean up your computer system and get you back up and running.

Related Links

Comments are closed.