Shutting down a botnet

The ZeroAccess botnet caused damage worth millions before it was shut down in December 2013.

Text: Serge Droz, published on 16.04.2015

The first report on a new piece of malware dubbed ZeroAccess appeared on 13 July 2011. Using highly sophisticated rootkit technology, the primary motivation behind ZeroAccess was to make money through pay-per-click advertising, but it was also capable of mining bitcoins, installing a back door on infected systems and more besides.

ZeroAccess was one of the most lucrative botnets ever, in-fecting over two million PCs worldwide and causing damage amounting to USD 2.7 million per month. It also caused thousands of francs worth of damage in Switzerland. The botnet was distributed through an infrastructure called the Blackhole exploit kit, which was instrumental in distributing a number of malware species besides ZeroAccess, notably Zeus and Citadel, both of which attack banks. The kit was available to lease for USD 700 a week.

A phone call from CYCO

In December 2013, SWITCH got an urgent phone call from CYCO, the Cybercrime Coordination Unit Switzerland. Coordinated by Europol and the FBI, a global effort was started to take out critical systems for ZeroAccess’s click fraud module, and SWITCH was asked to participate in the in site operation. It was a complete success: the click fraud came to an immediate halt, and on the next day the botnet received an extraordinary command: "White Flag". Little activity has been seen since then, and the ZeroAccess botnet has shrunk from two million bots at its height to a mere 50,000 globally. Also in December 2013, Russian authorities announced that they had arrested the owner of the Blackhole kit.

As this example shows, collaboration with teams all over the world is essential in fighting cybercrime. One single computer emergency response team like SWITCH-CERT cannot fight a botnet of global dimensions, at least not on its own. CERTs never work in isolation. Instead, they take advantage of their network of national and international partners to coordinate actions against cybercriminals. The primary focus of a CERT is the protection of its constituency, i.e. its customers.

Reduction, detection and clean-up

At SWITCH, we follow a two-fold approach in such cases: reduction of new infections and detection, followed by a clean-up of compromised systems. To this end, SWITCH receives lists from its partners on a daily basis showing compromised web servers for .ch/.li domains that are used for drive-by attacks. The owners of these websites are then informed and given one day to solve the problem. If they fail to do so, SWITCH suspends the domain names to protect visitors.

SWITCH does not have the resources to investigate each and every exploit kit used in Switzerland. We thus pass our findings, i.e. the malicious links in hacked websites, to trusted third parties. These are typically other CERTs around the world, which we meet regularly and have worked with before. They can use this information to gather more intelligence about the back end.

Put simply, this entails pretending to be part of the "evil empire" so as to attract infected systems.

This very same information can also be used to detect infected clients in the academic backbone. So-called indicators of compromise (IOCs) flag up connections to malicious sites. We inform our customers of the findings relevant to their sites so that they can fix any problems found. This approach has proven successful: a new malware family is typically eradicated from the academic backbone within a few weeks, thanks to our partners at the Swiss universities.

A technique called sinkholing

Detecting infected clients is often a difficult task, but researchers around the world monitor large botnets through a technique called sinkholing. Put simply, this entails pretending to be part of the "evil empire" so as to attract infected systems. Lists of such clients are then redistributed to network operators around the world for clean-up. SWITCH-CERT, being a trusted member of the global security community, receives hundreds of infected IP addresses from all over Switzerland every day. These are then redistributed to our colleagues at the various Swiss ISPs.

ZeroAccess is an excellent example of how one CERT on its own is too small to fight global botnets, but success can be achieved through interaction and cooperation.

This article appeared in the SWITCH Journal April 2015.
About the author
Serge   Droz

Serge Droz

Serge Droz studied Physics at the Federal Institute of Technology in Zurich and holds a PhD in Theoretical Physics from the University of Alberta, Canada. He worked as a computer security officer at the Paul Scherrer Institute. He has been in charge of the Computer Emergency Response Team (CERT) at SWITCH since 2004.


What data do CERTs share?

SWITCH-CERT is mostly on the receiving end when it comes to data sharing. We regularly obtain information about:

  • Possibly hacked systems at Swiss universities, or in Switzerland generally
  • Hacked web servers used to distribute malware or host phishing sites
  • Lists of known malicious systems
  • Huge amounts of compromised login credentials, sometimes with passwords.

However, we also regularly share information with others, such as:

  • URLs we find in hacked websites pointing to malicious servers
  • Lists of compromised clients obtained through the analysis of logfiles
  • IOCs that help in detecting threats.
Other articles