The extinct ZeroAccess botet has suddenly come back from the dead in a number of countries by lighting up the remnants of its damaged infrastructure, security firm Dell SecureWorks has said.
On 15 January, after a silence that stretches back to last July 2014, the firm started detecting P2P traffic using a subset of hosts compromised in the past. Although very small by the standards of its 2011-2013 heydey, it has managed to infect 55,000 IP addresses to carry out its speciality, click fraud.
The top country for infections was Japan at around 15 percent, followed by India with 3.5 percent, Russia on 13 percent and the US on just under 5 percent. The number of hosts had declined slightly since its discovery probably as it is detected and cleaned by some victims.
Based on P2P, its design is resilient even as this small size, spreading through drive-by exploits. Dell SecureWorks doesn’t specify which software vulnerabilities the campaign has targeted but they won't be new.
ZeroAccess’s claim to fame is that it was successfully disrupted by Microsoft and law enforcement in December 2013, after which it reprised on a much smaller scale between April and July 2014. At its peak the botnet compromised as many as two million machines. It's other notable feature was its use of a P2P design which made it more difficult to intercept.
As Dell SecureWorks admits, its latest incarnation poses little direct threat to ordinary users other than consuming resources and defrauding advertisers.
“Its resiliency is a testament to the tenacity of its operators and highlights the danger of malware using P2P networks.”