The legal complaint document issued by Microsoft against John Does 1 - 8 (those held to be responsible for administering all or part of the 2-million strong ZeroAccess botnet) contains, apart from the expected verbose legalese, some highly instructive explanations of
- Click Fraud
- The architecture of the P2P ZeroAccess botnet
- Botnet communications
- What ZeroAccess does once installed.
The rootkit element of ZeroAccess, aka Sirefef, should not be overlooked nor should it be underestimated. Complete removal of ZeroAccess is not guaranteed by any single tool or utility, nor by any combination of such tools used in combination. The MBR may be permanently damaged by attempts to remove changes made by ZeroAccess, so proceeed with caution. Perhaps the only sure way to be rid of the infection is to reformat an infected hard drive and re-image from a known safe backup copy.
More on this partial takedown of the botnet (it is not yet known how badly the botnet's operations have been impacted) -
Apparently the John Doe 4 accused in the legal complaint is a malware researcher who bought a couple of domains with which ZeroAccess was supposedly communicating, for the purposes of sinkholing and for examining network traffic. Bad timing, as he was scooped up in the Microsoft trawl.
There is a highly technical paper on the resilience of P2P (peer-to-peer) botnets HERE if you're interested.