Microsoft leads major disruption of ZeroAccess botnet

Microsoft, the FBI and Europol's European Cybercrime Centre (EC3) have disrupted ZeroAccess, one of the world’s largest botnets

Microsoft, the FBI and Europol's European Cybercrime Centre (EC3) have disrupted another of the world’s largest botnets or networks of hijacked and criminally controlled computers.

ZeroAccess is the seventh major botnet to be disrupted by Microsoft’s digital crimes unit (DCU) in collaboration with law enforcement and cross-industry partners.

The disruption of ZeroAccess is Microsoft's first botnet action since it opened its new Cybercrime Center in November 2013.

ZeroAccess, also known as Sirefef, is believed to have infected two million computers and, according to Microsoft, more than 800,000 infected computers were active on any given day in October 2013.

The continually evolving strategy of disruption adopted by Microsoft and other technology firms is aimed at fighting cybercrime by disabling key criminal infrastructure.

ZeroAccess was set up to hijack web search results on Google, Bing and Yahoo, and redirect victims to phishing sites designed to steal personal information to be used to commit fraud.

The botnet was also set up to generate fraudulent ad clicks on infected computers to enable fraudsters to claim payouts from advertisers totaling an estimated $2.7m a month.

The initial takedowns of the Waledac, Rustock, Kelihos and Zeus botnets used legal action to enable the seizure of servers being used as command and control centres.

However, the takedown of the Nitol botnet required a slightly different approach in September 2012, because only 70,000 of the 3.8 million domains hosted by were malicious.

Microsoft’s DCU could not justify taking down the whole domain, so instead applied for legal permission to filter out malicious domains without affecting legitimate ones.

And in February 2013, Microsoft and Symantec once again used a combination of legal and technical action to take down the Bamital botnet.

In the latest operation, Microsoft applied for permission to block incoming and outgoing communications between computers in the US and the 18 identified internet protocol (IP) addresses being used for fraud.

Europol, working with Latvia, Luxembourg, Switzerland, the Netherlands and Germany, executed search warrants and seizure orders on various computers related to the 18 IP addresses linked to ZeroAccess.

As in the Nitol operation, Microsoft also took control of 49 domains associated with ZeroAccess.

David Finn, executive director of Microsoft’s DCU, said the disruption "will stop victims' computers from being used for fraud and help us identify the computers that need to be cleaned of the infection".

Unlike most traditional botnets, ZeroAccess botnet relies on waves of communication between groups of infected computers instead of only a few control and command servers.

This means cyber criminals are able to control the botnet from a range of computers, making ZeroAccess more resilient to the disruptive tactics of Microsoft and its partners.

Microsoft said in a statement that it "does not expect to fully eliminate the ZeroAccess botnet due to the complexity of the threat”, but the latest action will disrupt the botnet's operation “significantly” by preventing infected computers from assisting fraud operation and increasing the cost and risk for cyber criminals to continue doing business.

Because ZeroAccess is difficult to remove due to its ability to disable security software on a computer, Microsoft has published general instructions on how to keep computers free of malware.

Read more on Hackers and cybercrime prevention