Bitcoin botnet ZeroAccess tops threat list: Fortinet
By Digital News Asia April 17, 2013
- ZeroAccess may be generating its owners up to US$100,000 per day in fraudulent advertising revenue alone
- Spike in infections reported for two new Android adware in the past 90 days
BITCOIN mining botnet ZeroAccess was the number one threat this quarter, according to the latest FortiGuard threat landscape report, which covered Jan 1 to March 31.
In addition, the report found that two new Android adware variants have climbed the watch list in the last 90 days.
“In the first quarter of 2013, we have seen owners of the ZeroAccess botnet maintain and expand the number of bots under its control,” said Richard Henderson, security strategist and threat researcher for Fortinet’s FortiGuard Labs. “In the last 90 days, the owners of ZeroAccess have sent their infected hosts 20 software updates.”
Based on reporting from FortiGate devices worldwide, ZeroAccess is the number one botnet threat the team is seeing. ZeroAccess is used primarily for click fraud and Bitcoin mining.
“As Bitcoin’s popularity and value increases, we may see other botnet owners attempt to utilize their botnets in similar fashions or to disrupt the Bitcoin market,” Henderson added.
The value of the decentralized, open source-based digital currency continues to skyrocket, which likely means the amount of money being made by ZeroAccess is in the millions of dollars or more, Fortinet said in a statement.
In March and into April, Mt. Gox, the largest Bitcoin Exchange in the world, battled a continued Distributed Denial of Service (DDoS) attack in an attempt to destabilize the currency and/or profit from it.
FortiGuard Labs’ analysis of ZeroAccess, which has the capability to load DDoS modules onto infected machines, revealed that the botnet does not currently have a DDoS module attached to its arsenal. This suggests other botnet owners are attempting to profit from fluctuations in the Bitcoin currency.
The growth of new ZeroAccess infections has remained constant in the last 90 days. Since FortiGuard Labs began actively monitoring ZeroAccess in August 2012, the team has seen a virtually linear amount of growth in new infections.
Most recently, the team reported a staggering 100,000 new infections per week and almost three million unique IP addresses reporting infections. It’s estimated that ZeroAccess may be generating its owners up to US$100,000 per day in fraudulent advertising revenue alone.
Adware variants propagating on Android
The Fortinet team also reported two new Android adware variants -- Android.NewyearL.B and Android.Plankton.B – have seen a large number of global infections in the past 90 days.
“The new advertising kits we are monitoring suggest that the authors behind this are working very hard to remain undetected,” said David Maciejak, senior researcher for Fortinet’s FortiGuard Labs.
“It’s also possible that Newyear and Plankton are being written by the same author, but being maintained separately in order to generate more infections,” he added.
Both pieces of malware are embedded into various applications and have the ability to display advertisements, track users through the phone’s unique IMEI number, and modify the phone’s desktop.
“The surge in Android adware can most likely be attributed to users installing what they believe are legitimate applications that contain the embedded adware code,” said Guillaume Lovet, senior manager at FortiGuard Labs. “It suggests that someone or some group has been able to monetize these infections, most likely through illicit advertising affiliate programs.”
Users can protect themselves by paying close attention to the rights asked by an application at the point of installation. It is also recommended they only download mobile applications that have been highly rated and reviewed.