ZeroAccess/Sirefef Botnet grows 4x in past month

We continue to analyze the activity of the ZeroAccess/Sirefef botnet that we first reported in February 2012. It looks like the problem is growing as indicated by the numbers reported between Feb 29 and Mar 29 from our network sensors.

ZeroAccess botnet communicate with peers

In March we observer 1,380 infected computers communicating with over 773,000 peers on the Internet. This represents an infection percentage of 0.5%. In other words, in the networks under observation, about 1 in every 200 homes is infected with a variant of this malware.

As can be seen in the bar chart below, the infected peers are widely distributed throughout the Internet with 13% being in the United States.

ZeroAccess geographic distribution chart

An infected computer will contact up to 250 peers every 20 minute to exchange new IP addresses and download new malware files.

The botnet’s main purpose is to distribute and run additional malware. So far, the most common malware is used for ad-click fraud. A configuration file containing a list of URLs is downloaded by the malware every 15 minutes. It uses this list as a starting point and visits each web site clicking on any links that are found. Most anti-virus vendors identify this as some variant of Sirefef. The downloaded malware tries to remain unobserved and does not damage the infected host. The only noticeable effect is a significant increase in internet traffic and some performance degradation.

Download the Malware Analysis Report - Encrypted p2p C&C for ZeroAccess/Sirefef Botnet.

By Kevin McNamee, Kindsight Security Labs