Botnets pose the biggest threat to the Internet because of the sheer number of computers they use to execute their attack. Currently, there are millions of computers that are co-opted to serve at the whim of attackers by many different botnets. The recent announcement by Symantec (News - Alert) regarding the liberation of half a million computers only highlights the severity of this problem. According to the company, ZeroAccess botnet is composed of more than 1.9 million infected computers, which have been used to perform click fraud, Bitcoin mining, and other activities.
With tens of millions of dollars at stake every year, these cyber criminals are sophisticated, well educated, and funded.
The researchers at Symantec were devising a plan to sinkhole ZeroAccess, which basically means controlling the original malicious bot-herder. As the plan was moving forward, the company was publishing the latest development in the process, which included some of the weaknesses they discovered in ZeroAccess. The news of the vulnerability got to ZeroAccess and the botmaster upgraded it to prevent any possible sinkholing attempts, but Symantec moved ahead before it was completed and it was able to detach, or free, the 500,000 computers.
According to officials at Symantec, it took just five minutes of P2P activity to sinkhole a new ZeroAccess bot. This botnet was very profitable, and it was used as a courier service to deliver payloads to infect computers; click fraud for online advertisements by generating fake clicks for pay-per-click (PPC) marketing campaigns; and Bitcoin mining.
Symantec calculated the payoff for each of the attacks performed by the botnet. The click fraud scheme for example is able to generate a large amount of money. The investigation the company conducted resulted in each bot generating 257MB of network traffic every hour or 6.1GB in a 24 hour period. The number of false clicks it generated came out to 1008 per day or 42 every hour. This number sounds very small and considering the pay of each click was a penny or less the effort might seem trivial, but the payoff can only be appreciated when it is multiplied by the 1.9 million computers under ZeroAccess. Symantec estimates the attackers were potentially generating tens of millions of dollars every year.
The researchers not only examined the financial loss, but they also addressed the amount of energy the 1.9 million computers consumed, which totaled 3,458,000 KWh (3,458 MWh, enough to power over 111,000 homes each day.)