Botnet ZeroAccess Hit With Complaint by Microsoft, but Will This Slow the Malware Industry Down?

By: Ifrah Law

ZeroAccess is one of the world’s largest botnets – a network of computers infected with malware to trigger online fraud.  Recently, after having eluded investigators for months, ZeroAccess was disrupted by Microsoft and law enforcement agencies.

Earlier this month, armed with a court order and law enforcement help overseas, Microsoft took steps to cut off communication links to the European-based servers considered the mega-brain for an army of zombie computers known as ZeroAccess. Microsoft also took control of 49 domains associated with ZeroAccess.  Although Microsoft does not know precisely who is behind ZeroAccess, Microsoft’s civil suit against the operators of ZeroAccess may foreshadow future enforcement efforts against operators alleged to have illegally accessed and overtaken people’s computers.

ZeroAccess, also known as max++ and Sirefef, is a Trojan horse computer malware that affects Microsoft Windows operating systems.  It is used to download other malware on an infected machine and to form a botnet mostly involved in Bitcoin mining and click fraud, while remaining hidden on a system.  Victims’ computers usually fall prey to ZeroAccess as the result of a drive-by download or from the installation of pirated software.   Essentially, ZeroAccess hijacks web search results and redirects users to potentially dangerous sites to steal their details.  It also generates fraudulent ad clicks on infected computers then claims payouts from duped advertisers.

The Microsoft lawsuit, originally filed under seal in Texas federal court, alleges, among other things,  violations of the Computer Fraud and Abuse Act  (“CFAA”) (18 U.S.C. §1030), the Electronic Communications Privacy Act (18 U.S.C. §2701), and various trademark violations under the Lanham Act (15 U.S.C. §1114 et seq.).  Microsoft secured an injunction blocking all communications between computers in the U.S. and 18 specific IP addresses that had been identified as being associated with the botnet.  The company also took control of 49 domains associated with ZeroAccess.  Microsoft took action against ZeroAccess in collaboration with Europol’s European Cybercrime Centre, the FBI, and other industry partners.  As Microsoft enacted the civil order obtained in its case, Europol coordinated law enforcement agency action in Germany, Latvia, Luxembourg, the Netherlands and Sweden to execute search warrants and seize servers associated with the fraudulent IP addresses operating within Europe.

The federal statutes on which Microsoft relied in its lawsuit may be broad enough to capture the gravamen of the complaint here.  For example, the CFAA was enacted in 1986 to protect computers that there was a compelling federal interest to protect, such as those owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA now prohibits accessing any computer without proper authorization or if it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing plaintiffs and prosecutors unfettered discretion by allowing claims based merely on violations of a website’s terms of service.  In those cases in which ZeroAccess has accessed a user’s computer entirely without permission, there will likely be no dispute about whether the CFAA applies; however, in any follow-on cases in which the authority to access the computer was less clear, Microsoft may have more difficulty in relying upon this statute.

According to Microsoft, more than 800,000 ZeroAccess-infected computers were active on the internet on any given day as of October of this year.  Although the latest action is expected to significantly disrupt ZeroAccess’ operation, Microsoft has not yet been able to identify the individuals behind the botnet, which is still very much intact. Microsoft’s attack is noteworthy in that it represents a rare instance of significant damage being done to a botnet that is controlled via a peer-to-peer system.  But ZeroAccess has come back to life once before after an attack on it, and it would not be surprising if it recovered from this attack as well.  Unless Microsoft or Europol can identify the “John Does 1-8”referenced in the complaint, this and other botnets will keep on operating without fear of reprisal.

The big question at this point is whether Microsoft’s actions will have an enduring impact beyond ZeroAccess.  Will Microsoft’s actions spur other private companies to take steps of their own to stop malicious software?  That answer remains to be seen.