Sign up to save your podcasts
Or
Share DP57 ZeroAccess Trojan Horse
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
DP57 ZeroAccess Trojan Horse
Discovered around May 2011, this trojan horse made history by being infected in millions of computers. Affecting only Windows computers, this malware was downloaded as a form of a botnet while going undetected thanks to rootkit techniques.
Rootkit is a new development in the hacker community. To the public it has a negative connotation to it since it’s usually a collection of malware. Rootkit is also known to be difficult to detect and uses all kinds of techniques like memory dump analysis, difference scanning and more.
Getting back to ZeroAccess though, this botnet spread quickly and was estimated to be on at least 9 million systems. However those numbers vary depending on where you’re getting them. Antivirus vender Sophos stated there was only 1 million by the third quarter of 2012. Kindsight, a security firm, estimated 2.2 million infected around that time too.
Regardless, this trojan horse spread quickly. But how was it able to do that? Well pair that up with rootkit techniques being tough to detect, it also had various forms of getting into computers.
One attack was through social engineering. A user was encouraged to execute a malicious code by clicking on a seemingly legitimate file. It could also be hidden as another payload in a pop up. An example is the trojan horse could come in when you see a license key pop up on your screen.
The second attack it uses is through an advertising network. An ad could tempt you to click on it and redirect you to a site that contains the malicious virus.
The final attack could be through an affiliate scheme. A third party person gets paid for installing the rootkit on your system by whatever means.
Considering the severity of infected systems, Microsoft did move to destroy the command and control network of the botnet in December 2013. However they were unsuccessful and people can still update this botnet even today.
So what warranted this attack? Well it helps to understand what ZeroAccess does. And on a consumer level it does cause some concern. When a computer gets infected with the ZeroAccess rootkit it immediately starts one of the two botnet operations: click fraud or bitcoin mining.
What this means is that our computer is either remotely mining bitcoins (which were valued at 2.7 million USD at the time) and generating money for the controller or it’s clicking on ads in the background without us noticing.
The bitcoin mining doesn’t really cost many people, however click fraud did impact advertisers significantly with some reporting they paid $900,000 a day in fraudulent clicks.
While some of us may not care so much about that, there are some other things this trojan horse does. For one it could infect a random driver and thus gain control over a operating system. Even if you’re lucky and it doesn’t infect a driver, it automatically disables Windows Security Center, Firewall and Defender. This could leave you open to more attacks in the future.
While this trojan horse may be a thing of the past, we still must exercise caution. Be wary about suspicious emails or what advertisements you are clicking on, particularly where those ads are located.
View all episodes
By dpappDiscovered around May 2011, this trojan horse made history by being infected in millions of computers. Affecting only Windows computers, this malware was downloaded as a form of a botnet while going undetected thanks to rootkit techniques.
Rootkit is a new development in the hacker community. To the public it has a negative connotation to it since it’s usually a collection of malware. Rootkit is also known to be difficult to detect and uses all kinds of techniques like memory dump analysis, difference scanning and more.
Getting back to ZeroAccess though, this botnet spread quickly and was estimated to be on at least 9 million systems. However those numbers vary depending on where you’re getting them. Antivirus vender Sophos stated there was only 1 million by the third quarter of 2012. Kindsight, a security firm, estimated 2.2 million infected around that time too.
Regardless, this trojan horse spread quickly. But how was it able to do that? Well pair that up with rootkit techniques being tough to detect, it also had various forms of getting into computers.
One attack was through social engineering. A user was encouraged to execute a malicious code by clicking on a seemingly legitimate file. It could also be hidden as another payload in a pop up. An example is the trojan horse could come in when you see a license key pop up on your screen.
The second attack it uses is through an advertising network. An ad could tempt you to click on it and redirect you to a site that contains the malicious virus.
The final attack could be through an affiliate scheme. A third party person gets paid for installing the rootkit on your system by whatever means.
Considering the severity of infected systems, Microsoft did move to destroy the command and control network of the botnet in December 2013. However they were unsuccessful and people can still update this botnet even today.
So what warranted this attack? Well it helps to understand what ZeroAccess does. And on a consumer level it does cause some concern. When a computer gets infected with the ZeroAccess rootkit it immediately starts one of the two botnet operations: click fraud or bitcoin mining.
What this means is that our computer is either remotely mining bitcoins (which were valued at 2.7 million USD at the time) and generating money for the controller or it’s clicking on ads in the background without us noticing.
The bitcoin mining doesn’t really cost many people, however click fraud did impact advertisers significantly with some reporting they paid $900,000 a day in fraudulent clicks.
While some of us may not care so much about that, there are some other things this trojan horse does. For one it could infect a random driver and thus gain control over a operating system. Even if you’re lucky and it doesn’t infect a driver, it automatically disables Windows Security Center, Firewall and Defender. This could leave you open to more attacks in the future.
While this trojan horse may be a thing of the past, we still must exercise caution. Be wary about suspicious emails or what advertisements you are clicking on, particularly where those ads are located.