The botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet.
The botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet.

After being disrupted by law enforcement in December 2013, the peer-to-peer (P2P) ZeroAccess botnet – also known as Sirefef – has resumed advertising click fraud activities, according to the Dell SecureWorks Counter Threat Unit (CTU).

The team first noticed the botnet reactivating from March 21, 2014, to July 2, 2014, and then on Jan. 15 it started to distribute click-fraud templates to compromised systems, a Wednesday post indicates, noting that the botnet is made up of hosts from previous compromises and there have been no observed attempts to expand the botnet.

Currently, the ZeroAccess botnet's infection base is around 55,000 systems, which is considerably lower than the reported two million systems that were infected when the botnet was taken down at the end of 2013, Jeff Williams, director of security strategy with the Dell SecureWorks CTU, told SCMagazine.com on Friday.

“The current campaign may be small by design [perhaps in order to] evade detection, and it may be largely outside of the United States and Europe as a method to avoid those law enforcement agencies which were involved in the takedown operation (FBI in the U.S. and EC3 in Europe),” Williams said.

According to a geographic distribution of ZeroAccess botnet peers included in the post, Japan has 15,322 hosts, or 27.7 percent of total infections. India is the runner-up with 7,446 hosts, or 13.5 percent of total infections, and the U.S. came in fifth with 2,540 hosts, or 4.6 percent of total infections.

“There are a variety of ways that a criminal will infect systems with malware,” Williams said. “A common method right now is through the use of an exploit kit, embedded in a hidden frame on a webpage. In some cases, these malicious frames are part of a malicious advertising campaign and delivered through the same advertising networks which they are intending to defraud.”

Threat actors typically benefit from click fraud through the cost per click model of online advertising, Williams said.

He explained that “the miscreant will leverage software – often in the form of a bot – to click through advertisements repeatedly in order to either generate revenue in a [cost per click] model or to exhaust the advertising budget of a rival.”

Click fraud often involves the use of a botnet so that clicks on advertisements are not seen coming from the same computer, Williams said. He explained that clicking from the same computer would trigger anti-fraud measures and that the clicks would be removed from the payout calculations, whereas using a botnet helps fraudsters remain undetected.

“The losers in a click fraud scenario from a monetary perspective are the advertisers,” Williams said. “They have invested money to have their advertisements viewed by people who may be interested in their product or service. They pay a finite amount which, when the [cost per click or cost per mille] limit is reached for that campaign, their ads are no longer displayed.”