Security concept: Lock on digital screen © maxkabakov - Fotolia

ZeroAccess: Sinkhole Sucks Brains From Big Bitcoin Mining Botnet

One of the biggest botnets in the world sees half a million bots made inactive as law enforcement takes an interest

On by Thomas Brewster 4

One of the biggest botnets in the world has had a quarter of its bots taken out of action, thanks to a sinkholing operation from security researchers.

ZeroAccess had a 1.9 million bots under its control, but half a million have now been detached from the malicious peer-to-peer network. P2P botnets are harder to sinkhole than traditional malicious networks, as they don’t have central points of control like others do.

The botnet was one of the biggest Bitcoin mining botnets in the world, having bots help work out tricky mathematical problems to produce coins of the cyrpto-currency.

ENISA botnet reportZeroAccess also earned plenty of money by delivering a click fraud Trojan, which would generate artificial clicks on ads as if they were from legitimate users.

ZeroAccess takes a hit

Whilst neither of ZeroAccess’ two main operations directly impacts victims’ bank balances, it has caused significant secondary effects, Orla Cox, security operations manager for Symantec Security Response, told TechWeekEurope.

Symantec operated a sinkhole to clear up ZeroAccess activity and during its research found each bot was using 257MB of network traffic every hour or 6.1GB a day, generating around 42 false ad clicks an hour. The botnet could therefore be generating tens of millions of dollars a year, to the detriment of ad networks.

There has been a cost for the environment too. Comparing the energy used by an idle PC, and an infected machine mining for Bitcoin,  Symantec determined 1.82 KWh was being used per day by one victim machine. Multiplying that by 1.9 million gives 3,458 MWh per day – enough to power over 111,000 homes.

The botnet’s Bitcoin operation was only profitable because it used stolen electricity: it used about $561,000  (£347,000)  of electricity a day on its victims’ machines, while only generating  $2,165 (£1340) a day.

Cox said she was confident Symantec’s sinkholing operation would make a significant dent in ZeroAccess’ success. The researchers managed to sinkhole the P2P network by seeding their own peers into the communication used by the botmasters.

Earlier this year, a paper was released detailing a vulnerability in the botnet’s custom protocol. The botmasters then updated the protocol to close off the flaw, but only for half the bots.

“We decided to move quickly at that point,” Cox told TechWeek. It remains unclear why only half the bots were updated. “It could be potentially that there are multiple people involved, that this is only one part of the group. Maybe they were just testing it.”

Symantec is now working with ISPs across the world to have the infected machines cleaned, 1.3 percent of which are based in the UK. The US has the highest level of infection with 35 percent.

Cox said law enforcement had shown an interest in tackling the botnet and its controllers. “We believe it’s classic cyber criminal gangs [using ZeroAccess]. They’re likely from Eastern Europe, Ukraine, Russia. They are definitely professional in some way.”

Are you a security expert? Try our quiz!

Thomas Brewster

Author: Thomas Brewster

Security Correspondent, TechWeekEurope
Thomas Brewster Thomas Brewster Thomas Brewster
Techweekeurope for mobile devices
Android-App Google Currents App for iOS

Last comment




4 replies to ZeroAccess: Sinkhole Sucks Brains From Big Bitcoin Mining Botnet

  • On October 1, 2013 at 10:16 am by brian M

    Makes you realise what a stupid idea the Bitcoin concept is. A system/concept that by definition is wasteful and pointless

    • On October 1, 2013 at 11:17 am by Robin

      You’re mistaken. It depends entirely on your method of mining bitcoins, and the btc-per-watthour has risen enormously the past two years. Even before its current state it was profitable given the proper GPU-based setup.

  • On October 1, 2013 at 11:02 am by rafal

    Someone should tell this guy to mine LITECOIN instead Bitcoin, if on CPU.

    Then profitability should be 10-30% of electrical bill afair.

  • On October 1, 2013 at 12:48 pm by John

    This will be the reason that Timekoin will overtake all of these types of virtual currency as it has removed the silly requirement that faster CPU/GPU/whatever is necessary to secure it.

Leave a Reply

  • Required fields are marked *,
    Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>