The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.
For the third time this year, Microsoft’s Digital Crimes Unit has successfully disrupted a dangerous botnet that has impacted millions of innocent people. Today, we’re pleased to announce that Microsoft, in conjunction with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation and technology industry leaders such as A10 Networks, has taken action against the rampant Sirefef botnet, also known as ZeroAccess. The ZeroAccess botnet has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month.
ZeroAccess targets all major search engines and browsers, including Google, Bing and Yahoo!. The majority of computers infected with ZeroAccess are located in the U.S. and Western Europe. Similar to the Bamital botnet, which Microsoft and industry partners took action against in February, ZeroAccess is responsible for hijacking search results and directing people to potentially dangerous websites that could install malware onto their computer, steal their personal information or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud.
Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today, and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers. Most often, computers become infected with ZeroAccess as a result of “drive-by-downloads,” where the cybercriminals create a website that downloads malware onto any unprotected computer that happens to visit that site. Computers can also become infected through counterfeit and unlicensed software, where criminals disguise ZeroAccess as legitimate software, tricking a person into downloading the ZeroAccess malware onto their computer.
Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes. We would like to thank A10 Networks, who provided Microsoft with advanced technology to support the disruptive action.
Microsoft is working with ecosystem partners around the world to notify people if their computer is infected, and will be making this information available through its Cyber Threat Intelligence Program (C-TIP). ZeroAccess is very sophisticated malware, blocking attempts to remove it, and we therefore recommend that people visit http://support.microsoft.com/botnets for detailed instructions on how to remove this threat. Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible.
This is the first botnet action since the Nov. 14 unveiling of the new Microsoft Cybercrime Center– a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s eighth botnet action in the past three years. Similar to Microsoft’s Citadel botnet case, ZeroAccess is part of an extensive cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.
More information about Thursday’s news against ZeroAccess is available here. This case and operation are ongoing, and we’ll continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.