Symantec researchers sinkhole Bitcoin mining Zero Access botnet horde

[Matsuda]

Scam earns crooks just $2,165 in Bitcoins for every $600,000 stolen

RESEARCHERS AT SECURITY FIRM Symantec have successfully sinkholed a significant proportion of the infamous Zero Access botnet, rescuing hundreds of thousands of the 1.9 million victims from the scam's zombie masters.

Symantec reported details of the operation after discovering a way tosinkhole an early version of the Zero Access botnet. The firm claimed that despite not working on an evolved version of the malicious program, the operation managed to detach over 500,000 machines from the zombie network.

"This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new Zero Access bot became sinkholed," read the blog post.

Sinkholing is a takedown commonly used by law enforcement and security professionals when combating botnets. The technique works by re-routing the identification of the malicious command and control (C&C) server used by the botnet to send commands to the zombie machines to the sinkholer's own analysis server.

Prior to Symantec's operation the Zero Access botnet was thought impossible to sinkhole as it doesn't feature a central C&C server, instead operating on a peer-to-peer network.

"Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with Zero Access, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network," explained Symantec.

"What this exercise has shown is that despite the resilient P2P architecture of the Zero Access botnet, we have still been able to sinkhole a large portion of the bots. This means that these bots will no longer be able to receive any commands from the botmaster and are effectively unavailable to the botnet both for spreading commands and for updating or new revenue generation schemes."

Symantec reported that as well as saving hundreds of thousands of machines it was also able to learn key details about the botnet's Bitcoin mining and click fraud scams. The Zero Access botnet's Bitcoin mining operation was highlighted as particularly interesting, revealing that the scam was causing as much as $560,887 worth of harm per day.

"To work out the cost of Zero Access to an unsuspecting victim, we calculate the difference between the cost of Bitcoin mining versus the cost of the computer idling; for our test setup it works out at an extra 1.82 KWh each day, which is not a whole lot for one victim to pay," read the report.

"If each KWh of electricity costs $0.162 then it would cost $0.29 to mine on a single bot for 24 hours. But multiply this figure by 1.9 million for the whole botnet and we are now looking at energy usage of 3,458,000KWh (3,458MWh, enough to power over 111,000 homes each day).

"This amount of energy is considerably greater than the output of the largest power station in Moss Landing, California, which could produce 2,484MW and would come with a corresponding electricity bill of $560,887 a day. Despite the costs, all this energy will create just $2,165 worth of Bitcoins a day."

The botnet's click fraud scam was shown to be more profitable, with Symantec listing it as having the potential to generate millions of dollars each year. "The bots running click fraud operations are quite active. In our tests, each bot generated approximately 257MB of network traffic every hour or 6.1GB a day," read the report.

"They also generated around 42 false ad clicks an hour (1,008 each day). While each click may pay a penny or even a fraction of a penny, across 1.9 million infected machines, the attacker is potentially generating tens of millions of dollars a year."

Zero Access is one of many botnets to be targeted with a sinkhole attack in recent months. Prior to Zero Access, Microsoft and the FBI targeted the infamous Citadel botnet with a sinkhole attack. At its height the Citadel botnet is believed to have controlled millions of infected PCs and been responsible for more than $500m in bank fraud.

Source