Since our last paper on ZeroAccess, the authors have made significant changes. In this paper we will examine those changes and take a closer look at the ZeroAccess botnet itself, exploring its size, functionality and purpose. We will explain in detail how the peer-to-peer protocol works, what network traffic is created, and how the bot phones home during installation. Then we will examine the plugin files that the botnet downloads: what these files are, what they do and how they work.
- We will show how ZeroAccess has been installed over 9 million times and that the current size of the botnet is somewhere in the region of 1 million machines spread throughout the world, but with the majority located in the U.S.
- We will explore the financial aspects of the botnet, examining how click fraud and Bitcoin mining can earn the botnet owners a potential $100,000 a day.
- Finally we will explore some counter-measures that can be taken against the botnet and attempt to draw some conclusions from what we have learned.