ZeroAccess criminals wave white flag: The impact of partnerships on cybercrime

The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

Two weeks after Microsoft filed its civil case in the U.S. District Court for the Western District of Texas against the notorious Sirefef botnet, also known ZeroAccess, I am pleased to report that our disruption effort has been successful, and it appears that the criminals have abandoned their botnet. As a result, last week Microsoft requested that the court close the civil case in order to allow law enforcement to continue their investigative efforts in the matter.

As stated at the outset of this disruption effort, Microsoft and its partners did not expect to fully eliminate the ZeroAccess botnet because of the complexity of the threat. Rather, our focus was to protect people by cleaning the computers infected with the malware so they could no longer be used for harm. As we expected, less than 24 hours after our disruptive action, the cybercriminals pushed out new instructions to the ZeroAccess-infected computers in order to continue their fraud schemes. However, because we were monitoring their actions and able to identify new Internet Protocol (IP) addresses the criminals were using to commit their crimes, Europol’s European Cybercrime Centre (EC3) took immediate action to coordinate with member country law enforcement agencies, led by Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, to quickly track down those new fraud IP addresses.

After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message “WHITE FLAG,” which we believe symbolizes that the criminals have decided to surrender control of the botnet. Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.

The cybercriminals’ decision to halt their activities underscores how effective partnerships are in the fight against cybercrime. Microsoft’s partnership with EC3 was crucial to the success of this disruption. In turn, EC3’s coordination with member-state law enforcement agencies like BKA in Germany and the National Hi Tech Crime Units from the Netherlands, Latvia, Switzerland and Luxembourg demonstrates the need for international cross-jurisdictional cooperation at a speed equal to the criminal cyber threats affecting people globally.

We would like to thank all of our partners for their work to combat the ZeroAccess botnet. Microsoft is committed to protecting the public from cyber threats, and trustworthy partnership with the research and law-enforcement community is a critical component of this. We will continue to work closely with the security community globally in disruptive actions that help protect our customers and put cybercriminals out of business.

Now that Microsoft has closed the civil case, and law enforcement continues their criminal investigations to pursue the individuals behind the botnet, we must continue to focus our efforts on working with ecosystem partners around the world to notify people if their computer is infected.

As we originally shared, ZeroAccess is very sophisticated malware, and it actually blocks attempts to remove it, so we recommend that people visit for detailed instructions on how to clean their computers.

ZeroAccess was the first botnet operation completed since Microsoft opened the Cybercrime Center in November. The Cybercrime Center, which combines Microsoft’s legal and technical expertise with cutting-edge tools and technology to fight cybercrime, enables DCU to more effectively work with partners to fight cybercrime. I am confident you’ll hear of additional important work coming out of the Center in the months ahead.

To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Tags: ,