Sign up to our newsletter
The latest security news direct to your inbox
Only weeks after Microsoft unveiled a global Cybercrime Center armed with new, hi-tech tools to detect and combat crime, the technology giant announced it had laid waste to a zombie army, namely the Siferef botnet. Microsoft collaborated with law enforcement worldwide, and targeted IP addresses and domains used by the botnet.
The botnet, also known as ZeroAccess, is spread by a Trojan, according to Microsoft’s Technet, has infected nearly two million computers worldwide, and diverts users from legitimate search results on search engines such as Bing, Yahoo and Google to potentially dangerous sites, at a cost, Microsoft claims of $2.7 million a month to advertisers.
Microsoft’s operation involved cooperation from Europol, the FBI, and industry partners. Although the botnet ‘communicates’ via a peer-to-peer system, Microsoft received authorization to block communications between machines in the U.S. and 18 IP addresses used in the scam. The firm also seized 49 domains associated with the botnet, according to the BBC’s report.
Microsoft admitted in its statement that it did not expect, or intend, to eradicate ZeroAcccess entirely, “Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today, and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers,” the firm said.
The malware was distributed via infected websites, Microsoft said, “Most often, computers become infected with ZeroAccess as a result of “drive-by-downloads,” where the cybercriminals create a website that downloads malware onto any unprotected computer that happens to visit that site.”
The botnet has not been completely eliminated, according to Beta News. “While the legal and technical action hasn’t wiped out the botnet entirely — ZeroAccess has been designed to resist such disruption efforts – it will have a significant impact on its effectiveness,” the site said.
Microsoft said that it expected the international action to, “significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes.”
Microsoft said in its post that this was the first large-scale action since it opened its new Cybercrime Center - a war room where the tech giant’s lawyers and security experts use what Microsoft described as bleeding-edge technology and industry expertise to battle crime online, as reported by We Live Security here.
The Cybercrime Center is to ooperate with law enforcement, academia, industry and NGOs – and focus on child exploitation, IP crimes and malware, in particular botnets. The Center will have 100 staff based around the world, and law enforcement will be able to use the facilities 24/7, The Register reports.
The Center is located on Microsoft’s Redmond campus, and includes what Microsoft describes as “groundbreaking” technologies, including SitePrint, a tool for mapping organized crime networks, and PhotoDNA, a tool for fighting child pornography.
A separate area of the Cybercrime Center will allow cybersecurity experts from third-party companies to lend their expertise, including academics, experts from industry and affected customers.
“In the fight against cybercrime the public sector significantly benefits from private sector expertise, such as provided by Microsoft,” said Noboru Nakatani, executive director of the INTERPOL Global Complex for Innovation.
“The security community needs to build on its coordinated responses to keep pace with today’s cybercriminals. The Microsoft Cybercrime Center will be an important hub in accomplishing that task more effectively and proactively.”
Microsoft pointed out that this is the third major botnet it has disrupted this year – including Citadel, a network reported to have earned up to $500m for its creators, as reported by We Live Security here.
Author Rob Waugh, We Live Security