Malware Analysis: New C&C Protocol for ZeroAccess/Sirefef

We have been investigating the appearance of a new variation of the ZeroAccess/Sirefef bot. In February, we published a detailed analysis of the network behavior of this bot and the encrypted p2p protocol that it uses to communicate with its peers. The main purpose of this botnet is to distribute malware responsible for ad-click fraud.

Download the Malware Analysis Report - New C&C Protocol for ZeroAccess/Sirefef.

The traffic generated by the ad-click fraud is 0.1MBits/second when averaged out. For the infected consumer, this adds up to 32GBytes per month which it is the equivalent of downloading 45 full length movies. For the service provider, the impact on their network depends on the number of infected subscribers. The observed infection rate in mid-June was about 0.8%. This means that at any instant this bot alone is consuming 800MBits/sec of bandwidth for every 1M users on the network.

The underlying structure and function of the bot remain the same, but the command and control(C&C) protocol has switched to a combination of TCP and UDP. It also attempts to use UDP broadcasts addresses as part of its rallying strategy. We did not see any successful responses from this. The botnet continues to be very prolific with this new variety infecting about 0.8% of the home networks protected by Kindsight. Over a one week period on one network, we observed 2856 infected computers actively communicating with over one million Internet peers.

By Kevin McNamee, Kindsight Security Labs