Symantec has announced that it has successfully sinkholed a significant part of the ZeroAccess botnet, which has been active since 2011 and is one of the largest known botnets in existence—with upwards of 1.9 million infected computers, generating tens of millions of dollars annually.
ZeroAccess has a highly technical and sophisticated infrastructure—it uses a peer-to-peer (P2P) architecture giving the botnet a high degree of redundancy with no central command and control server. It also uses various advanced methods to survive on infected machines.
On a blog post on Monday, Symantec’s researchers detailed the operation:
“On July 16, we began to sinkhole ZeroAccess infections. This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new ZeroAccess bot became sinkholed. To understand the potential impact of this, we need to consider what the ZeroAccess botnet is used for.”
Though the operation lasted only a few days when it was launched back in July, Symantec has only made details public now.
During the operation, Symantec also managed to gain new insights into how much money ZeroAccess is making. The investigation showed that ZeroAccess leverages click-fraud and Bitcoin mining to carry out two revenue generating activities—draining around $560,000 a day in electricity usage alone and potentially earning tens of millions of USD per year in the process.
In the meantime, Symantec is actively working with internet service providers (ISPs) and computer emergency response teams (CERTs) worldwide to help get infected machines cleaned up.