ZeroAccess: Sinkhole Sucks Brains From Big Bitcoin Mining Botnet

One of the biggest botnets in the world has had a quarter of its bots taken out of action, thanks to a sinkholing operation from security researchers.

ZeroAccess had a 1.9 million bots under its control, but half a million have now been detached from the malicious peer-to-peer network. P2P botnets are harder to sinkhole than traditional malicious networks, as they don’t have central points of control like others do.

The botnet was one of the biggest Bitcoin mining botnets in the world, having bots help work out tricky mathematical problems to produce coins of the cyrpto-currency.

ZeroAccess also earned plenty of money by delivering a click fraud Trojan, which would generate artificial clicks on ads as if they were from legitimate users.

ZeroAccess takes a hit

Whilst neither of ZeroAccess’ two main operations directly impacts victims’ bank balances, it has caused significant secondary effects, Orla Cox, security operations manager for Symantec Security Response, told TechWeekEurope.

Symantec operated a sinkhole to clear up ZeroAccess activity and during its research found each bot was using 257MB of network traffic every hour or 6.1GB a day, generating around 42 false ad clicks an hour. The botnet could therefore be generating tens of millions of dollars a year, to the detriment of ad networks.

There has been a cost for the environment too. Comparing the energy used by an idle PC, and an infected machine mining for Bitcoin,  Symantec determined 1.82 KWh was being used per day by one victim machine. Multiplying that by 1.9 million gives 3,458 MWh per day – enough to power over 111,000 homes.

The botnet’s Bitcoin operation was only profitable because it used stolen electricity: it used about $561,000  (£347,000)  of electricity a day on its victims’ machines, while only generating  $2,165 (£1340) a day.

Cox said she was confident Symantec’s sinkholing operation would make a significant dent in ZeroAccess’ success. The researchers managed to sinkhole the P2P network by seeding their own peers into the communication used by the botmasters.

Earlier this year, a paper was released detailing a vulnerability in the botnet’s custom protocol. The botmasters then updated the protocol to close off the flaw, but only for half the bots.

“We decided to move quickly at that point,” Cox told TechWeek. It remains unclear why only half the bots were updated. “It could be potentially that there are multiple people involved, that this is only one part of the group. Maybe they were just testing it.”

Symantec is now working with ISPs across the world to have the infected machines cleaned, 1.3 percent of which are based in the UK. The US has the highest level of infection with 35 percent.

Cox said law enforcement had shown an interest in tackling the botnet and its controllers. “We believe it’s classic cyber criminal gangs [using ZeroAccess]. They’re likely from Eastern Europe, Ukraine, Russia. They are definitely professional in some way.”

Are you a security expert? Try our quiz!