The ZeroAccess botnet: mining and fraud for massive financial gain

(Publication) Google search: [1]

Abstract

“ Since our last paper on ZeroAccess, the authors have made significant changes. In this paper we will examine those changes and take a closer look at the ZeroAccess botnet itself, exploring its size, functionality and purpose. We will explain in detail how the peer-to-peer protocol works, what network traffic is created, and how the bot phones home during installation. Then we will examine the plugin files that the botnet downloads: what these files are, what they do and how they work.

We will show how ZeroAccess has been installed over 9 million times and that the current size of the botnet is somewhere in the region of 1 million machines spread throughout the world, but with the majority located in the U.S. We will explore the financial aspects of the botnet, examining how click fraud and Bitcoin mining can earn the botnet owners a potential $100,000 a day. Finally we will explore some counter-measures that can be taken against the botnet and attempt to draw some conclusions from what we have learned.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1169,
   editor = {Sophos Labs},
   author = {James Wyke},
   title = {The ZeroAccess botnet: mining and fraud for massive financial gain},
   date = {01},
   month = Sep,
   year = {2012},
   howpublished = {\url{http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx www.sophos.com}},
 }