Cracking the encrypted C&C protocol of the ZeroAccess botnet

John Morris Kindsight
Kevin McNamee Kindsight

  download slides (PDF)

This session will explore how we cracked the encryption algorithm and decoded the command and control protocol of the ZeroAccess p2p botnet that is being used to control an advanced malware distribution system used for widescale fraud and identify theft attacks.

The analysis starts with the discovery of an unusual traffic pattern from computers infected with a variety of malware in a real-world service provider deployment. In a single day, a relatively small group of infected computers (approx. 300) from the network were communicating with over 60,000 computers on the Internet, using what was obviously an encrypted command and control protocol.

We will then describe how we used traffic analysis from our network sensors and dynamic analysis of malware samples in the lab to reverse engineer this bot, crack the encryption algorithm and decode the command and control protocol. In addition, we will describe the infection process, how the malware injects itself into a variety of system processes and how it protects itself from detection. We will provide a detailed analysis of how it maintains contact with its peers and discuss various approaches for the infiltration and takedown of this botnet.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.