Showing results for 
Search instead for 
Did you mean: 
Level 20

Windows Security Article on Zero Access Disrupted.....

Interesting article in regards to the Zero-Access and Rustoc Botnet. Also has links to the Microsoft Online Safety Scanner, and Complete lists of

Microsoft Fixes to diagnose and repair any issues.

on 07/12/13 6:37:41 EST PM
McAfee Volunteer
0 Kudos
1 Reply
Level 18

Re: Windows Security Article on Zero Access Disrupted.....

The legal complaint document issued by Microsoft against John Does 1 - 8 (those held to be responsible for administering all or part of the 2-million strong ZeroAccess botnet) contains, apart from the expected verbose legalese, some highly instructive explanations of

  • Click Fraud
  • Botnets
  • The architecture of the P2P ZeroAccess botnet
  • Botnet communications
  • What ZeroAccess does once installed.

The rootkit element of ZeroAccess, aka Sirefef, should not be overlooked nor should it be underestimated. Complete removal of ZeroAccess is not guaranteed by any single tool or utility, nor by any combination of such tools used in combination. The MBR may be permanently damaged by attempts to remove changes made by ZeroAccess, so proceeed with caution. Perhaps the only sure way to be rid of the infection is to reformat an infected hard drive and re-image from a known safe backup copy.

More on this partial takedown of the botnet (it is not yet known how badly the botnet's operations have been impacted) -

Apparently the John Doe 4 accused in the legal complaint is a malware researcher who bought a couple of domains with which ZeroAccess was supposedly communicating, for the purposes of sinkholing and for examining network traffic. Bad timing, as he was scooped up in the Microsoft trawl.

There is a highly technical paper on the resilience of P2P (peer-to-peer) botnets HERE if you're interested.

0 Kudos