How to detect the ZeroAccess botnet on your network and stop it broadcasting
For those of you who do not yet know, ZeroAccess is a Trojan-horse malware that infects Windows- based machines to form a botnet. Compromised machines will then either start mining Bitcoins, or participate in mass click fraud.
Estimates on infected computers range from 1 to over 9 million computers (such things are notoriously difficult to determine), and are estimated to be generating about $100,000 profit per day, or about $2.7 million each month.
This particular botnet was recently targeted by a coalition led by Microsoft, the Europol Cybercrime Center, and the Federal Bureau of Investigation in a massive campaign to take down the botnet. While Microsoft’s press release claims that the operation was (albeit partially) successful, other sources indicate that the operation was in fact a failure (see update).
The resilience of ZeroAccess is due to its P2P command and control designer, which lets the botmaster revive the botnet by simply pushing out a new update. Where Microsoft unfortunately failed was that they only managed to take down about 40% of the botnet’s infrastructure.
So how do you detect the ZeroAccess botnet on your network? Well we are going to show you here.
There are already simpler guides to detect and disinfect single machines (like your home computer). We have not seen any instructions so far to detect ZeroAccess on networks, especially for large networks with 10,000+ devices. Accordingly we have developed our own method for detecting ZeroAccess.
This guide is somewhat technical so we assume that you are familiar with basic networking, and that you know how to start up and run a packet sniffer.
The key thing to understand about botnets is that *by design* they must be able to access the internet – otherwise there would simply be no threat. Every corporate network has a connection to the firewall, which connects the internal network to the internet.
Find that cable – and make note of where it is plugged into the switch (if you are not sure ask your network person). You want to see all the traffic that is going out to the internet *without disrupting it*.
To see this traffic you need to setup a span port or mirroring port. On Cisco switches this will be the “set span” command. Ask your network person if you have any difficulty.
ZeroAccess (as of this writing) uses ports 16464, 16465, 16470, and / or 16471. The specific port depends on whether the version is 32-bit or 64-bit, though this is largely irrelevant from a threat perspective. Very likely these ports will change in a later update from the botmaster, so timing is very important.
Once you setup the command, it will mirror the traffic from the above ports to another port. Make sure to note what destination port you are using as you will need this in the next step.
Get yourself a laptop, then download and install Wireshark. This is a free and open-source packet analyzer, and you will need this tool to “packet sniff” your network traffic.
Plug that laptop into the destination port and turn on Wireshark. You should see a lot of unfiltered traffic going out to the internet. If you do NOT see any traffic then you are either plugged into the wrong port, the span port command is not setup, or Wireshark is not working.
You will need to setup a filter to make sense of the packets you are capturing. The easiest way to do this is to use the command “dst portrange 16464-16471”. Yes there are a few extra ports in there so you may get some false positives.
Once the filter is set, you can begin capturing the packets – but you must be patient! The botnet can only function if the machine is turned on and connected to the internet. So if someone leaves their laptop at home or shuts down their machine for a business trip, you won’t get the data you need.
What you are looking for is a machine communicating with a lot of different IP addresses, and none (or comparatively very few) of them are repeating. This is a sign of an active botnet.
According to Symantec – ZeroAccess has been observed contacting the following IP addresses:
Note: ZeroAccess uses many IP addresses that change frequently. The above list should be used for confirmation that the threat exists, but their absence alone is not proof of this.
If you identify machines showing suspicious behavior, then you should try to isolate / remove it from the network so it cannot cause further damage. Luckily there are already removal tools for this malware, which you can find from a reputable malware / antivirus vendor.
- For a complete breakdown of the ZeroAccess botnet – read Sophos’ 60-page report.
- To keep an eye on new developments – check Symantec’s technical details page.
There are several ways you can prevent ZeroAccess from infecting or broadcasting from your network.
- Follow standard security best practices so you won’t fall victim to a Trojan horse (duh)
- Update your OS and security applications immediately
- Install a proxy server and only allow very specific ports to access the internet
- Install an Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
- Restrict outbound ports to only those necessary to provide services in your company (note this is only a temporary measure at best)
- Log all connections to your firewall and save these logs.