As researchers we tend to emphasise the technical detail concerning the threats we deal with in the labs on a day to day basis - which is often what interests us most - and pay less attention to the more abstract issues that are of more immediate concern to a non-technical audience. Clearly, some articles, like my colleague Aleksandr Matrosov's excellent analysis of changes to the ZeroAccess rootkit family, are intended for an audience with a high level of technical understanding, to share technical information and stimulate informed discussion, whereas others have a more general, educational purpose. For a technical analysis, we usually have to assume that our readers have a good understanding of the underlying technologies and terminology: otherwise, we'd have to go into detailed considerations of basic principles that would have technical readers such as other researchers drumming their fingers irritably while we go over old ground.

Sometimes, though, even a highly technical article has serious implications for people who aren't likely to read such an article. For example, while many ThreatBlog readers probably weren't too interested in the finer points of Aleksandr's earlier article on CVE2012-1889: MSXML use-after-free vulnerability, that article makes the point very firmly in its first paragraph that the problem described is already being exploited out there in the wild: the reader didn't have to understand the underlying technology to appreciate the need to install the ‘Fix it’ patch on systems where the affected software was installed (see Microsoft Security Advisory 2719615). My colleague at Securing Our eCity, Liz Fraumann, sometimes refers to this in terms of "what does this mean for the end user?"

In the case of ZeroAccess, after a little discussion between Stephen Cobb, Aleks and myself, we thought that it might be useful to expand on the way in which ZeroAccess earns a dishonest crust for the criminals behind it. LIke many other malware families, ZeroAccess (or Sirefef) sells itself to its partners or affiliates on the strength of the way in which it substitutes its own choices for the results of popular search engines–a form of click fraud.

ZeroAccess uses a P2P (Peer-to-Peer) network protocol for communicating with the C&C (Command and Control server) used by the gang to exploit infected machines by giving instructions to the local malware that allows it to  generate illicit income.  This income is generated by a 'clicker module' that implements a number of malicious techniques:

  •  'blackhat' SEO (search engine optimization) or index hijacking that helps drive people using search engines like Bing and Google to malicious links.
  • clickjacking - hijacking the user's mouse clicks and redirecting them invisibly to another site for its own malicious purposes
  • substitution of its own choice of URLs for the legitimate results that a search engine would generate for an uncompromised system: in this case, to implement click fraud. We considered another interesting example of click fraud with respect to Cycbot: and the 'Ready to Ride' cybercrime group.

The C&C not only issues commands, but also updates payload modules (what the malware actually does) and lists of malicious URL's in the form of an XML-based configuration file. Aleks points out that the TDL3/TDL4 rootkit/bootkit family is also capable of implementing clickjacking and changes in search results, while Stephen observes that monetizing malware via fake search results is essentially what DNSchanger was doing, albeit by a different process.

Absorbing though the mechanical detail can be, we shouldn't lose sight of the fact that complex malware is created for a reason - i.e. profit - and the way in which a rootkit or bootkit can provide persistent infection (that is, infection over an extended period that survives rebooting) provides a substantial profit for the criminals behind the bot. When it's installed, they make a percentage of the profit on every click or redirection. Continued and aggressive distribution of ZeroAccess through driveby downloads (where just landing on a malicious URL can result in infection without any action on the part of the victim), offers of fake software downloads and so on, mean that their revenue stream isn't showing signs of drying up for a while yet.

David Harley CITP FBCS CISSP
ESET Senior Research Fellow