On Thursday, Microsoft's Digital Crimes Unit, the legal and technical team that has driven the takedown of botnets such as Bamital and Nitol during the past year, announced that it has moved with Europol, industry partners, and the FBI to disrupt yet another search fraud botnet. The ZeroAccess botnet, also known as ZAccess or Siref, has taken over approximately 2 million PCs worldwide; Microsoft estimates that it has cost search engine advertisers on Google, Bing, and Yahoo over $2.7 million each month.
According to security reporter Brian Krebs, ZeroAccess began its life cycle in 2009 as a delivery network for other malware—dropping paying customers' viruses and Trojans, including "scareware" fake antivirus packages—onto PCs it had successfully infected. But since then, it has evolved into a "clickfraud" platform—intercepting search requests from the user's Web browser and injecting fraudulent hyperlinks into the results returned from major search sites. The botnet operators get paid through advertising networks for the traffic sent to the sites as if the user had clicked on a legitimate ad.
After identifying the IP addresses of 18 command-and-control servers involved in directing ZeroAccess, Microsoft filed civil lawsuits last week against the botnet operators in the US District Court for the Western District of Texas. The court gave Microsoft permission in court to block traffic between them and PCs in the US using technology provided by networking vendor A10 Networks.