ZeroAccess Botnet Becomes Alive Again Aiming to Rip Money from Advertisers via Click Fraud Activity

Just like any day in the life of hackers, we mark another chapter where cybercrooks find new ways to mastermind and reactivate old threats as they have done with the popular ZeroAccess botnet recently.

Known as an unscrupulous botnet, ZeroAccess has resumed its duties to advertise click fraud actions. Not only that, but ZeroAccess, also known as Sirefef, has been reactivated to distribute click-fraud templates to compromised computers. In all, it means that systems already infected with ZeroAccess have received a new wakeup call from the botnet's controllers where it may evade detection.

The number of systems infected with some form of ZeroAccess was once thought to be in the millions but has dwindled down to a much smaller infection base of about 55,000 systems. The botnet was taken down at the end of 2013 where we saw a major decline in the number of infected systems. However, since then, many systems have remained infected where the malware resided on a system awaiting any updates from its command and control servers.

Click fraud is usually conducted through the use of botnets, such as in this case ZeroAccess is able to aid in generating malicious ads through a known advertising network. The clicks on the advertisements in such a case are not seen as coming from the same computer. This will allow the clicks to generate revenue through a particular pay-per-click method bypassing any logging of specific IP addresses to cap the clicks at a certain rate when they are suspected of coming from the same source or computer. The whole scheme is rather clever, one that has been high successful over many years of that ZeroAccess has been active.

In receiving new instructions on systems infected with ZeroAccess, the botnet has resumed its actions of conducting click fraud activities, which can be focused in on various malvertising campaigns. Advertising networks have long been targets for injecting malicious ads so they may be displayed on legitimate sites, some of which are high-traffic sites that many of us surf on a daily basis. The purposes of the recent ZeroAccess campaign may be to lure computer users into clicking on malicious ads through such networks and end up generating money through clicks and a cost per click model.

The distribution of ZeroAccess has always been a widespread epidemic, but now the botnet's peers reside mainly in Japan making up 15,322 hosts (27.7% total infections), India with 7,446 hosts (13.5% total infections), and the United States with 2,540 hosts (4.6% total infections). Being that the campaigns are rather on the small side and outside the U.S., experts believe it is a tactic to evade detection and avoid law enforcement agencies where take-down operations have succeeded in the past.

With the reactivation of ZeroAccess advertisers are in a position to lose money due to the fraudulent clicks once again. Advertisers rely on their networks to serve their inventory of ads and prevent them from being abused by fraudulent clicks. With ZeroAccess back on the scene again it may very well exhaust many advertisers'' budgets and end up costing companies dearly, in the long run.