With more than 1.9 million computers infected the ZeroAccess botnet is second only to the Conficker in the number of hosts it has infected. The unique feature of the ZeroAccess botnet is that it uses a peer-to-peer command-and-control architecture. Most botnets can be brought down by purging the C&C server. Since ZeroAccess has no C&C server it has proven to be difficult to fight.
ZeroAccess’ first action upon infecting a computer is to find other computers it has infected creating a peer to peer network. This allows the bots to pass on instructions immediately. The peers in the network maintain continuous communication with one another checking for updates to prevent it from being removed.
In March of this year Symantec studied ZeroAcess in great detail to find a way to sinkhole the botnet. Symantec found a way to liberate peers from the botmaster. Then, while monitoring the botnet, on June 29 Symantec seen a new version of ZeroAccess being sent from peer-to-peer. At that time there was an update to the ZeroAccess bot that addressed the design flaws Symantec was targeting to sinkhole the botnet.
Symantec decided on July 16, that instead of missing the opportunity, they executed their plan to sinkhole ZeroAccess. Very rapidly Symantec was able to free over half a million bots, thus making a major reduction to the number of bots under the botmaster’s control.
In the meantime, Symantec have been working together with ISPs and CERTs worldwide to share information and help get infected computers cleaned.