You’d think a nefarious slice of software designed to frustrate a practice plenty of us dislike — web ads — might engender cheers and well wishes. But no, the ZeroAccess botnet is hardly so noble: a payload of blight-riddled code that first infiltrates a Windows-based computer (more than two million to date, reportedly), then surreptitiously joins hands with its contaminated co-conspirators (less zombies than cyber-gremlins) to perpetrate click-scams, aiming computers like poison arrows at ad-flush websites and costing advertisers up to $2.7 million a month, according to Microsoft.
No more, or at least no longer to that extent: Microsoft says its digital criminal unit, working alongside Europol’s cyber-crime division, the FBI and others in the tech industry, has “successfully disrupted” the ZeroAccess botnet. Redmond and its partners worked the problem for months before swooping in yesterday, December 6, to shut down key instructional servers located across the pond.
Microsoft last week took the matter to court, filing a civil suit against the ZeroAccess botnet operators, securing legal authorization to block communications between U.S. computers and the IP addresses of 18 computers (located in Europe) identified as involved in perpetrating the scam. Microsoft also assumed control of nearly 50 domains associated with the botnet. At the same time, Europol executed a multi-country search-and-seizure action against the servers associated with those 18 IP addresses, effectively unbalancing the botnet operation.
“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” said FBI Executive Assistant Director Richard McFeely in a statement. “It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law enforcement partners — in this case, Europol — to shut down malicious cyberattacks and hold cybercriminals accountable for exploiting our citizens’ and businesses’ computers.”
The keyword here is “disrupted,” not “destroyed,” of course. As cybercrime blogger Brian Krebs notes:
It remains unclear how much this coordinated action will impact the operations of ZeroAccess over the long term. Early versions of ZeroAccess relied on a series of control servers to receive updates, but recent versions of the botnet malware were designed to make the network as a whole more resilient and resistant to targeted takedowns such as the one executed this week.
Indeed, Microsoft itself admits that both it and its partners “do not expect to fully eliminate the ZeroAccess botnet due to the complexity of the threat.” For starters, this does nothing to remove the ZeroAccess malware from infected computers, and as Krebs points out, the ZeroAccess P2P botnet is still up and running. All it would take, adds Dell SecureWorks security researcher Brett Stone-Gross, is for the botnet malefactors to “push a new plugin through the P2P network to restart their click fraud and search engine hijacking activities.”