Microsoft: ZeroAccess botnet crooks raise ‘white flag’

Botnets

The Microsoft Digital Crimes Unit has declared victory in its war with the ZeroAccess botnet, saying the malicious network's operators have given up the ghost.

Whilst it was monitoring the impact of its ZeroAccess takedown of this month, working alongside law enforcement bodies to track new IP addresses introduced by the crooks, Microsoft noticed an interesting section of update code that read "WHITE FLAG".

It was believed this meant the crooks had relinquished control of the botnet. Since then, there have been no more attempts to release new code and keep the ZeroAccess operation alive, Microsoft said.

"The botnet is currently no longer being used to commit fraud," said Richard Domingues Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, in a blog post.

Microsoft worked closely with the European Cybercrime Centre (EC3) and other EU-based law enforcement agencies to take on ZeroAccess, which was believed to have infected two million machines globally.

Even after Microsoft had taken over 49 domains associated with the ZeroAccess botnet and disrupted the operation, and European law enforcement had seized 18 machines linked with the fraudulent programme, it appeared the malware would still prove rampant.

That was because ZeroAccess used a peer-to-peer (P2P) architecture that makes it difficult to take down.

Researchers working with security company Damballa had even claimed the operation was insufficient and 62 per cent of the infrastructure was still usable. "Even without updates being sent across the P2P channel, the botnet's monetisation was largely unaffected," the wrote in a blog post.

Dell SecureWorks told IT Pro today it had seen the "WHITE FLAG" update the day after the takedown. In a subsequent analysis, it found it was "far from clear" whether the takedown was a success or not, as figures had shown only a slight decrease in ZeroAccess activity.

But Microsoft has now claimed success. "I am pleased to report that our disruption effort has been successful, and it appears that the criminals have abandoned their botnet," Boscovich added.

"As a result, last week Microsoft requested that the court close the civil case in order to allow law enforcement to continue their investigative efforts in the matter."

ITPro

ITPro is a global business technology website providing the latest news, analysis, and business insight for IT decision-makers. Whether it's cyber security, cloud computing, IT infrastructure, or business strategy, we aim to equip leaders with the data they need to make informed IT investments.

For regular updates delivered to your inbox and social feeds, be sure to sign up to our daily newsletter and follow on us LinkedIn and Twitter.