P2P resiliency allows ZeroAccess to continue reaping click fraud windfall.
A highly resilient botnet conservatively estimated to generate about $700,000 per year in fraudulent advertising revenue narrowly escaped a shutdown engineered by whitehats from security firm Symantec.
Symantec researchers have estimated that ZeroAccess, until recently a network of about 1.9 million infected computers, generates about 1,000 fraudulent clicks per day on each machine it controls. It also harnessed the electricity and hardware at the disposal of compromised machines to carry out the mathematical operations required to "mine" bitcoins. The unusually large footprint combined with the high collective cost on advertisers and PC owners made ZeroAccess one of the most menacing botnets in current circulation. Symantec researchers set out to "sinkhole" the botnet by taking control of the command-and-control mechanism botmasters use to send and receive data from individual bots.
But there was a challenge. ZeroAccess implements a peer-to-peer architecture that was designed to withstand takedown attempts. Unlike traditional botnets that use a relatively small number of servers to communicate with infected machines, these bots exchanged data with hundreds of their peers, which in turn exchanged data with hundreds of peers. The decentralized arrangement meant ZeroAccess was immune to traditional sinkholing operations that seize control of the IP addresses or domain names the bots access to receive instructions and software updates.
Symantec researchers finally identified a fatal flaw in the way ZeroAccess implemented its P2P updating. Each bot maintained a list of just 256 internal peers. If whitehats could poison that small list of peers, they could take control of the whole network. And a second vulnerability allowed whitehats to issue commands that injected their own IP addresses into the botnet.
"It was enough that we could go in and exploit these weaknesses in order to sinkhole the P2P component of ZeroAccess," Symantec Principal Security Response Manager Vikram Thakur told Ars.
In late June, shortly after Symantec researchers discovered the weaknesses, ZeroAccess botmasters updated their malware to fix the P2P flaws. New bot versions had access to 16 million different IP addresses, and the command that allowed whitehats to inject their own addresses was killed. Realizing their ability to exploit the vulnerability was evaporating, Symantec employees began sinkholing infected machines that still hadn't installed the update. Thakur said about 40 percent to 45 percent of the massive botnet was liberated. The rest remains under the control of the botmasters. Thakur said it's common for vulnerabilities to be patched in botnet software and reckons that if his team was able to identify the weakness, ZeroAccess operators could do the same thing.
ZeroAccess' narrow escape is unfortunate considering the collective drag that affects so many people. The malware causes each machine on average to click on 1,008 fraudulent ads that generate about six gigabytes of traffic. Conservatively assuming the botnet operators are able to reap even $.01 per day from each infected machine, that's about $700,000 in annual revenue that's siphoned out of the ad industry. The bandwidth, electricity, and hardware facilitating the fraud is supplied by millions of mostly unsuspecting end users.
Until recently, that cost was much higher. ZeroAccess used to force infected machines to perform the computer-intensive cryptographic operations required to generate bitcoins. Assuming the average computer ran typical hardware and was turned on 24 hours a day, the mining operation performed by ZeroAccess could have leeched a collective 3.45 million kilowatt hours every 24 hours. Symantec said that's enough electricity to power more than 111,000 homes each day.
An almost incomprehensible scale
The estimates underscore the economics that make much Internet-based crime so profitable. Assuming the above conditions, the Bitcoin mining alone costs each infected person just $.29 per day in extra electricity costs. The ability to saddle almost two million people with that cost, however, allowed the operators to take it to an almost incomprehensible scale. Interestingly, ZeroAccess dumped the Bitcoin mining operation earlier this year for unknown reasons.
The amount of bandwidth and advertising revenue ZeroAccess continues to siphon from the collective Internet means that the botnet remains a problem, even if its ranks have been reduced by the partial sinkholing carried out by Symantec. Thakur said Symantec is supplying data that makes it easy for ISPs to locate infected bots connecting to their networks. He'll be presenting his findings from the partially successful operation later this week at the Virus Bulletin Conference in Berlin.
Courtesy: arstechnica
0 comments:
Post a Comment