Symantec researchers sinkhole Bitcoin mining Zero Access botnet horde: Symantec have successfully sinkholed a significant proportion of the infamous Zero Access botnet, rescuing hundreds of thousands of the 1.9 million victims from the scam’s zombie masters.
Symantec reported details of the operation after discovering a way to sinkhole an early version of the Zero Access botnet. The firm claimed that despite not working on an evolved version of the malicious program, the operation managed to detach over 500,000 machines from the zombie network.
“This operation quickly resulted in the detachment of over half a million bots and made a serious dent to the number of bots controlled by the botmaster. In our tests, it took an average of just five minutes of P2P activity before a new Zero Access bot became sinkholed,” read the blog post.
Sinkholing is a takedown commonly used by law enforcement and security professionals when combating botnets. The technique works by re-routing the identification of the malicious command and control (C&C) server used by the botnet to send commands to the zombie machines to the sinkholer’s own analysis server.
Prior to Symantec’s operation the Zero Access botnet was thought impossible to sinkhole as it doesn’t feature a central C&C server, instead operating on a peer-to-peer network.
“Since no central C&C server exists, you cannot simply disable a set of attacker servers to neuter the botnet. Whenever a computer becomes infected with Zero Access, it first reaches out to a number of its peers to exchange details about other peers in its known P2P network,” explained Symantec.