ZeroAccess Botnet Takedown: A Joint Move by Law Enforcement, Business

Microsoft and law enforcement get together to try and top a botnet that takes aim at infecting users' search engine results.

IT security

Much of the ZeroAccess botnet's access will be shut down or restricted today as a result of a coordinated effort from the Federal Bureau of Investigation and the Europols European Cybercrime Centre (EC3), with the support of tech vendors Microsoft and A10 Networks.

The ZeroAccess botnet has been wreaking havoc throughout much of 2013 and had infected more than 2 million user PCs. ZeroAccess has been implicated in a number of illicit activities, including being used as an unauthorized Bitcoin mining operation.

ZeroAccess has also been active as a vehicle for click fraud related to search engine redirection and hijacking. The click fraud occurred by way of the ZeroAccess botnet being leveraged on victims' PCs to infect users' search engine results on the Google, Microsoft Bing and Yahoo search engines.

According to Microsoft, the ZeroAccess botnet's click-fraud impact was costing advertisers an estimated $2.7 million per month.

The ZeroAccess botnet is constructed as a highly distributed peer-to-peer network with no single point of failure. In order to disrupt the botnet, Microsoft filed lawsuits against persons identified only as "John Does 1-8 controlling a computer thereby injuring Microsoft and its Customers."

The initial complaint was filed in the U.S. District Court for the Western District of Texas on Nov. 25.

"Microsoft seeks injunctive and other equitable relief and damages against the operators of a controlled network of computers, known as the 'ZeroAccess' botnet by means of the ZeroAccess Fraud Control IP Address and Fraud Control Domain that have and continue to cause irreparable injury to Microsoft, its customers and the public," the complaint states.

The legal complaint also identifies the structure of the ZeroAccess botnet command and control infrastructure as being comprised of at least 49 different Internet domains around the world structured in a peer-to-peer network."When ZeroAccess first infects a computer, the newly infected computer does not contain the files or module required to commit actual click fraud or browser hijacking," the legal complaint explains. "Rather, the newly-infected computer must acquire the files and module from the first peer it contacts."

As part of the legal action, Microsoft has now taken control over the traffic to the 49 Internet domains, which is intended to disrupt the operations of the ZeroAccess botnet. In Europe, Europol seized an additional 18 IP addresses and their associated servers.

"If the hacker community has not yet taken notice, today's disruption of the ZeroAccess botnet is another example of the power of public-private partnerships," FBI Executive Assistant Director Richard McFeely said in a statement. "It demonstrates our commitment to expand coordination with companies like Microsoft and our foreign law-enforcement partners—in this case, Europol—to shut down malicious cyber-attacks and hold cyber-criminals accountable for exploiting our citizens' and businesses' computers."

The ZeroAccess botnet isn't the first major botnet disruption Microsoft has been part of this year. In June, the Citadel botnet, which had been active since at least 2011, was disrupted in a joint action with the FBI.

While the new action against ZeroAccess will disrupt the botnet, Microsoft admits that due to the complexity of the peer-to-peer network architecture, ZeroAccess is not yet fully eliminated.

Microsoft is providing recommendations for PC users to help remove the threat from their own devices at

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.