ZeroAccess (also known as Sirefef) is a peer-to-peer (P2P) botnet for perpetrating advertising click-fraud. It was disrupted by law enforcement in December 2013. The Dell SecureWorks Counter Threat Unit™ (CTU) research team observed the botnet reactivate from March 21, 2014 until July 2, 2014. On January 15, 2015 at 7:58 pm EST, the botnet again began distributing click-fraud templates to compromised systems.
The threat actors behind ZeroAccess have not attempted to expand the botnet with new compromises following the December 2013 disruption. Instead, the botnet is composed of residual hosts from past compromises, so it is much smaller than it has been in the past. ZeroAccess is segmented into two distinct botnets that operate over different UDP ports:
- UDP 16464/16471 — used by compromised Windows systems running on a 32-bit architecture
- UDP 16465/16470 — used by compromised Windows systems running on a 64-bit architecture
Compromised systems act as nodes in the P2P network, and they periodically receive new templates that include URLs for attacker-controlled template servers.
After the systems visit these URLs, the malware begins a cascade of redirects that eventually lead to a Traffic Direction System (TDS) that sends the bot to its final destination (see Figure 1).
Figure 1. Advertising click-fraud request chain. (Source: Dell SecureWorks)
CTU researchers observed 55,208 unique IP addresses participating in the botnet between January 17 and January 25, 2015. During this time period, the P2P network had participation from 38,094 hosts in the 16464/16471 (32-bit) segment and 17,114 hosts in the 16465/16470 (64-bit) segment. Figure 2 shows the daily participation by unique IP addresses in each botnet segment.
Figure 2. Daily active and unique nodes in the 32-bit (blue) and 64-bit (gray) ZeroAccess botnet segments. (Source: Dell SecureWorks)
Table 1 lists the top ten geographic locations of these hosts.
Country | Count | Percent of total |
Japan | 15,322 | 27.7% |
India | 7,446 | 13.5% |
Russia | 7,101 | 12.9% |
Italy | 3,649 | 6.6% |
United States | 2,540 | 4.6% |
Brazil | 2,145 | 3.9% |
Taiwan | 2,087 | 3.8% |
Romania | 1,982 | 3.5% |
Venezuela | 1,231 | 2.2% |
Germany | 1,138 | 2.1% |
Table 1. Geographic distribution of ZeroAccess botnet peers.
Although the threat actors behind ZeroAccess have not made any measurable attempts to augment the botnet in more than a year, it remains substantial in size.
Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks. ZeroAccess does not pose the same threat as other botnets used to perpetrate banking fraud, steal login credentials and valuable data, or hold victims' files for ransom. However, it does cause untold fraud losses for advertisers and consumes considerable resources for organizations with compromised hosts.