9 Million PCs Compromised by ZeroAccess Botnet

In recent months, the Win32/Sirefef and Win64/Sirefef rootkit family, also known as the ZeroAccess Botnet, has significantly expanded its reach, infecting millions of computers worldwide. This botnet has updated its command and control protocols and now connects to over one million systems globally. Previously, it was noted for creating hidden partitions on hard drives and utilizing alternative data streams to conceal its presence. However, recent changes by its developers have shifted its infection tactics, moving away from kernel-mode components in the latest version. Security firms have been actively monitoring the increase in x64 version infections. SophosLabs has recently uncovered a significant change in the ZeroAccess botnet’s strategy, which now operates entirely in user-mode memory. Two distinct ZeroAccess botnets exist, each featuring both 32-bit and 64-bit versions, resulting in a total of four unique botnets. Each one operates independently, communicating through a specific hard-coded port number embedded in the bot executable.

Surge in ZeroAccess Botnet Infections: 9 Million PCs Compromised

On September 19, 2012, alarming reports surfaced concerning the ZeroAccess botnet, a sophisticated rootkit family identified as Win32/Sirefef and Win64/Sirefef. This malware has undergone significant evolution, effectively updating its command and control protocols to infiltrate an estimated 9 million computers worldwide. This surge in infections highlights the botnet’s ability to connect with over one million hosts globally, raising concerns about cybersecurity across various sectors.

Prominently, the ZeroAccess botnet employs a unique strategy by creating hidden partitions on infected hard drives. It utilizes concealed alternative data streams to maintain its presence, evading detection and enabling it to thrive within target systems. Recent developments indicate that ZeroAccess developers have shifted their tactics, moving away from kernel-mode components in favor of a more user-mode memory operation. Security researchers have observed a concerning trend with the x64 versions of the malware, as evidenced by the findings from SophosLabs, which indicate a significant change in the botnet’s operational framework.

Two distinct variants of the ZeroAccess botnet exist, corresponding to its 32-bit and 64-bit architectures. Each variant operates as a self-contained unit, employing hard-coded port numbers for communication. This isolation contributes to the botnets’ resilience against mitigation efforts, as they do not rely on external networks.

Targeted primarily are personal computers across various demographics—business owners, in particular, may find themselves at risk given the prevalence of this malware in everyday tech environments. The ZeroAccess botnet does not discriminate based on geographical boundaries, posing threats to users regardless of their location. This wide-reaching impact can be distressing for organizations that rely heavily on IT systems for their day-to-day operations and sensitive data management.

In considering the techniques likely employed by the ZeroAccess botnet, several MITRE ATT&CK tactics can be identified. The initial access method appears to encompass social engineering or exploitation of vulnerabilities to gain foothold in targeted systems. Persistence is maintained through the creation of hidden partitions, while privilege escalation remains a key focus for the botnet to ensure prolonged access and control over infected machines.

This culmination of tactics demonstrates how the ZeroAccess botnet not only spreads rapidly but also adapts its infection strategy in response to cybersecurity advancements. Business owners, particularly in the tech-savvy sector, are urged to bolster their defenses through robust security protocols and regular system updates to safeguard against such extensive risks. As incidents involving the ZeroAccess botnet continue to rise, professionals in the cybersecurity space must remain vigilant and proactive in their approach to protecting sensitive data against evolving threats.

Source link

Related Posts

Cyber Attacks Target Six Major U.S. Banks

Published: Oct 1, 2012

Recent reports indicate that several of the largest financial institutions in the United States, including Wells Fargo, JPMorgan Chase, Bank of America, Citigroup, and U.S. Bancorp, were subjected to a series of cyber attacks last week. A group claiming to have Middle Eastern affiliations executed these attacks, resulting in internet outages and disruptions to online banking services.

The banks experienced denial-of-service attacks, where hackers inundate a website with excessive traffic, causing it to become overwhelmed and shut down. Although these attacks can be disruptive, they are not technically advanced and do not compromise the security of the banks’ computer networks, funds, or customer accounts.

The group, identifying itself as “Mrt. Izz ad-Din al-Qassam Cyber Fighters,” specifically targeted Wells Fargo and announced plans to attack U.S. Bancorp and PNC Financial Services Group next. They stated that their actions were a response to an anti-Islam video that ridicules the Prophet Muhammad and vowed to persist in their assaults on American financial institutions.

Chinese Hackers Target White House Computer Networks

October 1, 2012

The White House confirmed Monday that a cyber attack had compromised one of its computer networks, though it reported no breach of classified systems or any evidence of lost data. The attack was said to involve systems connected to military nuclear commands and was linked to Chinese hackers. The initial report, published by The Washington Free Beacon—a conservative outlet critical of the Obama administration—characterized the breach as one of Beijing’s most audacious cyber operations against the United States and suggested a failure by the Obama administration to confront China’s ongoing cyber threats. This revelation comes amid rising tensions in Asia, as the Pentagon has positioned two U.S. aircraft carrier strike groups and Marine amphibious units near the waters surrounding Japan’s Senkaku Islands. An official referred to the incident as a “spear-phishing” attack…