[patriq]

I took a look at the IP contacted from 10 random ZeroAccess samples and found they contact some of the same inital C&C's:

Code: Select all

 8x - 85.114.128.127 - (Germany) - SSH-2.0-OpenSSH_6.1p1 Debian-4
 5x - 199.21.165.8 - (Saint Kitts and Nevis) filtered
 5x - 195.158.13.161 - (Uzbekistan) filtered 
 4x - 89.125.44.231 - (Ireland) 49152-6 open
 4x - 200.60.63.108 - (Peru) filtered
 4x - 196.20.97.53 - (Algeria) filtered
 4x - 188.114.130.243
 4x - 178.249.152.4
 4x - 122.61.0.75
 3x - 94.71.12.95

85.114.128.127
ZeroAccess pushed via SweetOrange and Nuclear EK's
ZeroAccess traffic to this IP detected since Summer 2013
http://urlquery.net/report.php?id=7096426
http://urlquery.net/report.php?id=4140845

[EP_X0FF]

Not really new as all these was discussed here http://www.kernelmode.info/forum/viewto ... 13&p=18816 and http://www.kernelmode.info/forum/viewto ... =16&t=2613. I don't really know details as I don't monitor ZeroAccess anymore but according to public information the mentioned IP's are likely click fraud trackers (they are hardcoded inside numerous Sirefef plugins), initial call home (geo-ip) addresses + pattern traffic filtering (as Sirefef data easy to recognize) preventing botnet communications. So this is likely the way Sophos suggested about a year ago. Simple and rough.

How effective this against ZeroAccess? You can test it yourself - take a fresh sample from this thread, run it and look where it will connect (initial geo-ip call home, bootstrap lists in s32, s64 files and finally click fraud trackers), what it will download (if it will) and how fresh this stuff will be (extract IP addresses from tracker plugin "80000000.@" and look if they are alive/sinkholed).

What the ZeroAccess will do? They will establish new infrastructure (if they don't anything for backup already) then push new version (3.0) with updated data and maybe new protocol with adding to bypass network data filtering. Still Sirefef experienced damage though.

[rinn]

Hi.
Yep, they actually already tried to do "come back", but failed.

Below is screenshot of what actually now distributed in p2p ZeroAccess network.


http://i.imgur.com/f5QxKah.png

Quite obvious for now this botnet is operational but out of control and they don't have a plan "B" as their backup servers (many of them were already sinkholed by various researchers etc) banned by MS. What more important - for now ZeroAccess gang have no countermeasures for this. Maybe they are under development right now :)

Best Regards,
-rin

[EP_X0FF]

ZeroAccess botnet work paralyzed for more than 2 weeks.

http://blogs.technet.com/b/microsoft_bl ... crime.aspx

As you can read from above rinn post and this blog entry:

1) Technically ZeroAccess is alive. Still several millions of infected PC can communicate via p2p protocol. But it is dying without new bots and updates like any other abandoned botnet.
2) Practically (for it customers and their money) - ZeroAccess is dead as profitable botnet because it now impossible safely deliver new payload modules because of terminated infrastructure and high risk of new losses.
3) There were no updates for ZeroAccess payloads over 2 weeks (since white flag message), which means botnet operators really give up.

From the perspective we have three options also:

1) Another attempts to regain control of dying botnet. But they already tried and failed.
2) Give up. Impossible. It is way too profitable business.
3) New bot, new botnet. Maybe it even will be named differently.

As a conclusion: Sirefef experienced greatest hit since beginning of it existence and now in comatose.

[unixfreaxjp]

The infrastructure is still there. We'll see what will happen.

[unixfreaxjp]

On the other hand, congratulations friends, on the effort in taking down ZA.
Is a hard effort and I believe me I do know how it is.
A hit just don't make it down for good, sometimes we must deliver multiple hits and keep on it.

ZA is nasty one yet its network group is actually splitting, pls noted.
One of the group is share IP w/Kelihos that's why I know this.
Tigzy has a very good data if you want to see 3rd party feedback on what you did.

Wish you all Happy new year 2014! Thank's for the hard work!

[kmd]

So it finaly dead? :D No updates?

p.s. happy new year)

[EP_X0FF]

So it finaly dead?

Yes, in term of botnet it is dead. Last update 6 dec 2013. White Flag in attach, "excellent" VT detection ratio.

[EP_X0FF]

Sirefef resurrected, date stamp 20/03/2014. If you have new sirefef droppers (presumable they will be pushed soon on drop zones) please share, as for now we have data only from sirefef farms.

edit:

Updated modules attached. Click fraud is back.

[flyroom]

It's interesting to see that the botmaster behind all this switch to port 16471/16470 for click fraud, still no funtional plugins seen on the other branches.

Sirefef resurrected, date stamp 20/03/2014. If you have new sirefef droppers (presumable they will be pushed soon on drop zones) please share, as for now we have data only from sirefef farms.

edit:

Updated modules attached. Click fraud is back.