Microsoft's ZeroAccess Botnet Takedown No 'Mission Accomplished'
Microsoft's intentions are good, but its efforts to disrupt cybercrime aren't as effective as they could be, according to researchers at Damballa. In the case of the recent ZeroAccess disruption, for example, chances are good that the botnet can revive itself. Furthermore, Microsoft sometimes catches dolphins in its nets, thwarting legitimate research efforts.
Dec 9, 2013 9:44 AM PT
Microsoft announced last week that it had disrupted the ZeroAccess botnet, which has been around since 2011.
It joined forces with the United States Federal Bureau of Investigation, the European Cybercrime Center, and several high-tech companies including A10 Networks.
Microsoft also filed suit against various John Does believed to be involved with the botnet.
However, the operators of ZeroAccess have since pushed out commands to infected PCs on two occasions.
Microsoft's attack was incomplete and took down only about 40 percent of the botnet's infrastructure, Manos Antonakakis, chief scientist at Damballa, told TechNewsWorld. "Microsoft disturbed a component of the code."
What Microsoft Did
Microsoft recently filed a civil suit against the ZeroAccess operators and obtained a court order letting it block all traffic between computers in the U.S. and 18 IP addresses in Europe being used by the botnet. It also took control of 49 domains suspected to be associated with the botnet.
Meanwhile, law enforcement agencies in various European countries were to execute search warrants on and seize computer servers associated with the 18 IP addresses.
This is Microsoft's first cybercrime action since it unveiled its state-of-the-art Cybercrime Center last month.
ZeroAccess Cowed but Not Clobbered
ZeroAccess's botmaster on Thursday "sent an updated module or command to the bots instructing them to start using a different untouched infrastructure," Vikram Thakur, a security researcher at Symantec, told TechNewsWorld. Symantec had itself targeted ZeroAccess in October.
"Later in the day, the botmaster sent yet another update instructing [the bots] to cease performing any clickfraud," Thakur continued.
The botmaster also sent out an update bearing only the message "White Flag," which sparked speculation that the operators of ZeroAccess might have thrown in the towel.
However, the "White Flag" message "can change at any moment," Thakur warned. "In the past 24 hours, we've seen updates from the botmaster three times."
At this point, the infected computers are simply waiting for a new module or command set to be delivered by the botmaster, Thakur said.
ZeroAccess' resilience is due to its P2P command and control infrastructure, which lets the botmaster revive the botnet simply by pushing out commands after it has been attacked.
However, Microsoft's incomplete takedown of ZeroAccess' click-fraud component would have been insufficient even if the botnet did not use a P2P CNC setup, according to a blog post by Yacin Nadji, a Ph.D. candidate at Georgia Institute of Technology, and Damballa's Antonakakis.
The botnet's monetization was largely unaffected and would remain so even if the botnet owners had not sent updates after Microsoft's attack.
Further, Microsoft apparently seized and sinkholed the servers of at least one legitimate security researcher.
That researcher has been named as "John Doe #2" in the lawsuits Microsoft filed in connection with ZeroAccess, Nadji and Antonakakis said in their blog post.
This is not the first time Microsoft's Digital Crimes Unit has impacted legitimate security researchers, they alleged.
When attacking the Zeus botnet, Microsoft seized control of domains that already had been sinkholed by the ShadowServer Foundation, noted Nadji and Antonakakis. This cost researchers from White Hat organizations access to important sources of data around that threat.
Give Us Shock and Awe
"If you want to clean up the Internet like Microsoft does, which is a great thing, don't go for simple takedowns," Damballa's Antonakakis remarked.
"Do the proper recon, identify the entire CNC infrastructure, and in a single action, take down the P2P network so the botnet won't be able to update itself," he advised. "Destroy any CNC backup mechanism if there is any."