James Wyke Sophos
download slides (PDF)
ZeroAccess is one of the most widespread threats currently plaguing the Internet. The total number of infected machines is in the tens of millions, with the number of active infections holding in low seven figures. This huge botnet is designed to generate revenue for its owners through a variety of illicit means including click fraud, bitcoin mining and pay-per-install schemes.
Although ZeroAccess has morphed through several significant changes during its lifetime, the current incarnation has stabilised on a UDP-based peer-to-peer protocol for its command and control. This protocol is extremely noisy and easy to spot at a network level, generally because fixed, high-number ports are used. However, the ZeroAccess authors use other, much more subtle and harder to spot techniques to monitor and control their botnet.
In this paper we examine the secret communications channels used to administer the ZeroAccess botnet. We detail the various ways in which covert command and control traffic is embedded into legitimate-seeming network data, evading casual analysis. We look at how the authors have established a pattern of deliberate misdirection, using a variety of fake data designed to lure researchers away from genuine targets.
We will analyse the plug-ins that are downloaded by ZeroAccess, examining their functionality and how they too incorporate attempts to mislead analysis. We explain how bogus information is used to lure researchers into revealing their IP addresses so they can be added to a blocklist.
We conclude by assessing the financial rewards that ZeroAccess brings for its owners, exploring the likely future direction of the botnet and the extent to which we can attribute ownership to any particular group.
VB2013 takes place 2-4 October 2013 in Berlin, Germany.
The full programme for VB2013, including abstracts for each paper, can be viewed here.