Microsoft today announced its Digital Crimes Unit has successfully disrupted the ZeroAccess botnet, with the help of Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation (FBI), and other industry partners. Also known as the Sirefef botnet, ZeroAccess infected nearly 2 million computers worldwide and cost online advertisers upwards of $2.7 million each month.
Last week, Microsoft filed a civil suit against the cybercriminals operating the ZeroAccess botnet and received authorization from the US District Court for the Western District of Texas to simultaneously block incoming and outgoing communications between computers located in the US and the 18 identified IP addresses being used to commit the fraudulent schemes. Microsoft also took over control of 49 domains associated with the ZeroAccess botnet.
Meanwhile, Europol coordinated a multijurisdictional criminal action targeting the 18 IP addresses located in Latvia, Luxembourg, Switzerland, the Netherlands, and Germany. It executed search warrants and seizures on computer servers associated with the fraudulent IP addresses in Europe.
ZeroAccess targets all major search engines (Google, Bing, and Yahoo) as well as all major browsers. Once on a system, usually as the result of a drive-by-download or from installing counterfeit software, it hijacks search results and directs users to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online ad clicks.
The majority of computers infected with it are located in the US and Western Europe. Microsoft says ZeroAccess is one of the most robust and durable botnets in operation today, as it relies on a peer-to-peer infrastructure that allows cybercriminals to remotely control it from tens of thousands of different computers.
As a result, Microsoft and its partners says they don’t expect to fully eliminate the ZeroAccess botnet. However, the group does “expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes.”
Microsoft is working with its partners around the world to notify users if their computer is infected. Since ZeroAccess blocks attempts to remove it, for example by disabling security features on infected computers and leaving them open to other attacks, the company recommends using malware removal tools as soon as possible. Detailed instructions on how to do so are here.
The disruption of ZeroAccess is thus ongoing. It’s going to be a vicious, and long fight.
See also – Microsoft says its antimalware products protect 150m+ computers, reaffirms commitment to quality solutions and Microsoft opens a futuristic Cybercrime Center in Redmond to tackle botnets, malware and more
Top Image Credit: AFP/Getty Images