Back channels and bitcoins: ZeroAccess' secret C&C communications

James Wyke Sophos

  download slides (PDF)

ZeroAccess is one of the most widespread threats currently plaguing the Internet. The total number of infected machines is in the tens of millions, with the number of active infections holding in low seven figures. This huge botnet is designed to generate revenue for its owners through a variety of illicit means including click fraud, bitcoin mining and pay-per-install schemes.

Although ZeroAccess has morphed through several significant changes during its lifetime, the current incarnation has stabilised on a UDP-based peer-to-peer protocol for its command and control. This protocol is extremely noisy and easy to spot at a network level, generally because fixed, high-number ports are used. However, the ZeroAccess authors use other, much more subtle and harder to spot techniques to monitor and control their botnet.

In this paper we examine the secret communications channels used to administer the ZeroAccess botnet. We detail the various ways in which covert command and control traffic is embedded into legitimate-seeming network data, evading casual analysis. We look at how the authors have established a pattern of deliberate misdirection, using a variety of fake data designed to lure researchers away from genuine targets.

We will analyse the plug-ins that are downloaded by ZeroAccess, examining their functionality and how they too incorporate attempts to mislead analysis. We explain how bogus information is used to lure researchers into revealing their IP addresses so they can be added to a blocklist.

We conclude by assessing the financial rewards that ZeroAccess brings for its owners, exploring the likely future direction of the botnet and the extent to which we can attribute ownership to any particular group.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.