When Microsoft and various law enforcement agencies around the world disrupted the ZeroAccess botnet at the beginning of December, they did not expect to fully eliminate it.
After all, the botnet had been targeted two months earlier by Symantec researchers, who managed to sinkhole a large chunk of it before its masters managed to update the bots and patch the security holes that allowed the researchers to do it.
But, as Richard Boscovich, Assistant General Counsel with Microsoft’s Digital Crimes Unit has shared in a blog post, the bot masters have seemingly given up on the botnet:
As we expected, less than 24 hours after our disruptive action, the cybercriminals pushed out new instructions to the ZeroAccess-infected computers in order to continue their fraud schemes.
However, because we were monitoring their actions and able to identify new Internet Protocol (IP) addresses the criminals were using to commit their crimes, Europol’s European Cybercrime Centre (EC3) took immediate action to coordinate with member country law enforcement agencies, led by Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, to quickly track down those new fraud IP addresses.
After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message “WHITE FLAG,” which we believe symbolizes that the criminals have decided to surrender control of the botnet. Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.
Because of this development, Microsoft has asked the court to close the civil case they filed against the criminals, so that law enforcement can continue to investigate and hopefully track them down.
In the meantime, Microsoft tries to help infected users clean their computers, as ZeroAccess is a sophisticated and difficult to remove piece of malware. Users are advised to follow the instructions detailed here.