Cyber Crime, and in particular botmasters, never cease to amaze. If you were (not so much) surprised in discovering the compromised supply chain behind the Nitol Botnet (that allowed Chinese manufacturers to sell compromised computers pre-installed with the botnet), you’d better have a look at the ZeroAccess Botnet, which has recently been analyzed by Sophos.
ZeroAccess has some impressive “state-of-the-art” features such as:
- Pure User-Mode on 32-bit Windows platforms;
- A Peer-to-peer protocol for communicating with other members of the Botnet to receive updates and downlad plugins;
- A modular architecture (via plugins) that allows to generate revenues for Botnet owners in different ways: Click Fraud or Bitcoin Mining (revenues that the security firms estimates in USD 100,000 per day with the botnet at full power);
- A compromised population of over 9 million of PCs infected.
Really impressive features indeed, even if I must confess they were not the ones that impressed me most.
One of the challenges of a “successful” botnet is the capability to spread as quickly as possible, and infect and insert in the botnet (read enroll) the largest number of hosts in the shortest possible time.
Cyber Criminals are becoming increasingly aware of this, and hence, have developed a lucrative Pay-Per-Install
partnership affiliate scheme to distribute the dropper. This affiliate scheme (I like to call it Partnership program) foresees wall paid revenues for affiliates who are able to execute successful installation of the dropper. This is exactly what happens in case of ZeroAccess and it is the reason of its large-scale extent.
The scheme is typically advertised on underground forums and, in case of ZeroAccess, the revenues are differentiated based on the country (probably US victims are the most lucrative, since US gets paid the most, then UK, Canada and Australia), and also on the access rights of the infected user (Admin gets paid more).
After the discovery of compromised supply chains and programs that foresee revenues for botnet distributors, have you still doubts about the fact that Cyber Crime is really becoming an industry?