Architecture, Network security, Strategy, Vulnerability management, Threats, Cybercrime, Malware

Report: Most ZeroAccess zombie computers found in U.S.

September 20, 2012

Researchers have discovered that a majority of infected computers – part of the ZeroAccess botnet – are located in the United States.

According to a new report, "The ZeroAccess Botnet - Mining and Fraud for Massive Financial Gain," by malware experts at SophosLabs, the current size of the botnet is estimated to be “somewhere in the region of one million machines,” with more than 50 percent located in the U.S.

By visiting a malicious webpage – which can range from small-time blogs to everyday news sites – users become infected with the ZeroAccess trojan, which exploits un-patched programs in their system. Once compromised, the machines becomes part of the botnet and are able to receive orders from command-and-control servers.

Similar to a majority of botnets, the primary motive behind this attack is financial gain. According to the SophosLabs report, the two primary tactics used are click fraud, unknowingly clicking on an ad repeatedly to drive up countable hits, and bitcoin mining. These strategies can earn the botnet owners a potential $100,000 each day.

Researchers have been analyzing ZeroAccess for at least three or four years, Chester Wisniewski, senior security adviser at SophosLabs, told SCMagazine.com on Tuesday. Since the U.S. is one of the richest countries in the world, he believes it's much more likely to be a target.

“Americans have really powerful computers,” Wisniewski said. “When we see malware that's meant to steal banking credentials, [attackers] like to focus on the countries that have the money. If you target Americans, you're going to get a lot more bitcoins.”

According to the report, the authors of ZeroAccess have disguised the network traffic of the botnet very well, making it difficult to pinpoint the location of the command-and-control server.

Wisniewski said that the criminals behind the botnet have veiled the network traffic as normal, everyday web traffic.

While it was easier to spot unusual traffic in previous botnets, coming in the form of bogus online gaming or other random page visits, he said that it's difficult to discern the difference with the million active zombies that are part of the ZeroAccess army.

“It wouldn't look any different than someone looking at their stock portfolio,” he said. “We don't know which of the million is controlling it because it's blending in with the others. There are a million connections coming into the cloud and one of the million is the bad guy.”

[An earlier version of this story incorrectly stated that bitcoin mining was a method of stealing].

prestitial ad