Late last week, Microsoft announced it had taken down much, but not all, of a major botnet that has been operating since 2011 throughout much of Europe.
The Microsoft Digital Crimes Unit today worked in conjunction with Europol’s European Cybercrime Centre (EC3), the FBI and major tech firms to take down the botnet. The ZeroAccess botnet is responsible for infecting more than 2 million computers, according to research by the University of California, San Diego. Microsoft estimated there were more than 800,000 ZeroAccess-infected computers active on the Internet on any given day.
The takedown was done first by filing a civil suit against the ZeroAccess operators, which led to a court order letting it block all traffic between computers in the U.S. and 18 IP addresses in Europe being used by the botnet. Microsoft also took control of 49 domains suspected to be associated with the botnet. European law enforcement agencies executed search warrants on and seized computer servers associated with the 18 IP addresses.
ZeroAccess targeted search results on Google, Bing and Yahoo search engines, and is estimated to have cost online advertisers $2.7 million per month. ZeroAccess is used to commit a slew of crimes, including search hijacking, which “hijacks” search results and redirects people to sites they had not intended or requested to go to in order to steal the money generated by their ad clicks.
ZeroAccess also commits click fraud by pretending to be legitimate, interested human users’ clicks, but are the result of automated Web traffic and other criminal activity.
This was a tough botnet, using a peer-to-peer infrastructure that allows cybercriminals to control the botnet remotely from tens of thousands of different computers. As a result, Microsoft believes it only snagged about 40% of the total botnet, which would translate to another 2.5 million machines out there. Some command-and-control signals have already been seen being sent to other dormant machines.
This is Microsoft’s eighth botnet operation in the past three years and the first botnet action since Microsoft opened its new Cybercrime Center on November 14.
Microsoft and its partners said they do not expect to fully eliminate the ZeroAccess botnet on account of its complexity. Because ZeroAccess disables security features on infected computers, the computer is open to a whole lot of infections, not just ZeroAccess.
This proves once again that only a company the size of Microsoft can muster the resources and pull to get this kind of sting done.