Recently, we helped a client get rid of some pretty nasty malware. They knew something was wrong when their IP address was blacklisted, so they called us to help. We found that one of their computers was infected with the ZeroAccess botnet, which was using the computer to send messages to servers all over the world. Thankfully, we were able to put a stop to it.
This experiece got us thinking that it might be helpful for our clients to know what botnets--a particularly harmful form of malware--are, what they do, and how to avoid them. Read on for the full scoop.
So, what is a botnet?
A botnet is a kind of malware designed to turn victims' computers into a virtual army to make money for cybercriminals. When a botnet is installed on a computer, criminals are able to use that computer to send spam, gain access to financial information, overwhelm targeted servers, and to perpitrate any number of other criminal acts. Of course, the botnet program runs in the background of the computer, preventing the user from knowing that his or her computer is doing these things.
How do botnets infect innocent computers?
Botnets install themselves on unassuming users' computers in pretty much the same ways that all malware does. Sometimes, simply visiting an infected website (that otherwise may be legitimate) could cause infection. Other times, downloading items from the web can deploy botnets. And then, of course, there's always email attachments.
What does the ZeroAccess botnet do?
At least one of the ways that the ZeroAccess botnet--the one that infected our client--makes money for its creators is by mobilizing the army of infected computers to generate pay-per-click ad revenue. It works like this: the criminals set up websites artificially designed to appear high in search rankings. They use those rankings to recruit advertisers, who agree to post ads on the websites. Then, they have each computer in the botnet army click on those ads, forcing the advertisers to pay them significant amounts of money.
Interestlingly, just a few days ago Microsoft announced that its "Digital Crimes Unit," in partnership with law enforcement agencies, took down the websites running the ZeroAccess ads and even shut down some of the servers propogating the botnet. This may even have led to the blacklisting of IP addresses known to be affected by ZeroAccess, like our clients'. This is, of course, good news. It decreases the profitability of the botnet, so hopefully the risk of getting caught won't be worth the reward for the cybercriminals. Still, as others have pointed out, this doesn't mean that ZeroAccess doesn't still pose a threat. At the very least, having your IP address blacklisted can prevent business-critical functions like the ability to send email freely.
How to avoid ZeroAccess and other botnets
Users can avoid botnets in the same ways that they avoid other malware--by employing appropriate security measures like firewalls and antivirus software, and by remaining vigilant. Avoid visiting websites--even legitimate ones--that haven't been updated recently. Don't open attachments or click on links in emails you aren't absolutely sure are from trusted senders. And always notify your system administrator if you think you may have inadvertently downloaded malware.
Hopefully, our client's experience with the ZeroAccess botnet shows you just how serious and harmful malware can be, and just how important secure systems and vigilant users are. Feel free to reach out with any questions.