One of the biggest botnets in the world has had a quarter of its bots taken out of action, thanks to a sinkholing operation from security researchers.
ZeroAccess had a 1.9 million bots under its control, but half a million have now been detached from the malicious peer-to-peer network. P2P botnets are harder to sinkhole than traditional malicious networks, as they don’t have central points of control like others do.
The botnet was one of the biggest Bitcoin mining botnets in the world, having bots help work out tricky mathematical problems to produce coins of the cyrpto-currency.
Whilst neither of ZeroAccess’ two main operations directly impacts victims’ bank balances, it has caused significant secondary effects, Orla Cox, security operations manager for Symantec Security Response, told TechWeekEurope.
Symantec operated a sinkhole to clear up ZeroAccess activity and during its research found each bot was using 257MB of network traffic every hour or 6.1GB a day, generating around 42 false ad clicks an hour. The botnet could therefore be generating tens of millions of dollars a year, to the detriment of ad networks.
There has been a cost for the environment too. Comparing the energy used by an idle PC, and an infected machine mining for Bitcoin, Symantec determined 1.82 KWh was being used per day by one victim machine. Multiplying that by 1.9 million gives 3,458 MWh per day – enough to power over 111,000 homes.
The botnet’s Bitcoin operation was only profitable because it used stolen electricity: it used about $561,000 (£347,000) of electricity a day on its victims’ machines, while only generating $2,165 (£1340) a day.
Cox said she was confident Symantec’s sinkholing operation would make a significant dent in ZeroAccess’ success. The researchers managed to sinkhole the P2P network by seeding their own peers into the communication used by the botmasters.
Earlier this year, a paper was released detailing a vulnerability in the botnet’s custom protocol. The botmasters then updated the protocol to close off the flaw, but only for half the bots.
“We decided to move quickly at that point,” Cox told TechWeek. It remains unclear why only half the bots were updated. “It could be potentially that there are multiple people involved, that this is only one part of the group. Maybe they were just testing it.”
Symantec is now working with ISPs across the world to have the infected machines cleaned, 1.3 percent of which are based in the UK. The US has the highest level of infection with 35 percent.
Cox said law enforcement had shown an interest in tackling the botnet and its controllers. “We believe it’s classic cyber criminal gangs [using ZeroAccess]. They’re likely from Eastern Europe, Ukraine, Russia. They are definitely professional in some way.”
Are you a security expert? Try our quiz!
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Makes you realise what a stupid idea the Bitcoin concept is. A system/concept that by definition is wasteful and pointless
You're mistaken. It depends entirely on your method of mining bitcoins, and the btc-per-watthour has risen enormously the past two years. Even before its current state it was profitable given the proper GPU-based setup.
Someone should tell this guy to mine LITECOIN instead Bitcoin, if on CPU.
Then profitability should be 10-30% of electrical bill afair.
This will be the reason that Timekoin will overtake all of these types of virtual currency as it has removed the silly requirement that faster CPU/GPU/whatever is necessary to secure it.