Archive for the ‘botnets’ Category

ZeroAccess criminals wave white flag: The impact of partnerships on cybercrime

December 19th, 2013 No comments

The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

Two weeks after Microsoft filed its civil case in the U.S. District Court for the Western District of Texas against the notorious Sirefef botnet, also known ZeroAccess, I am pleased to report that our disruption effort has been successful, and it appears that the criminals have abandoned their botnet. As a result, last week Microsoft requested that the court close the civil case in order to allow law enforcement to continue their investigative efforts in the matter.

As stated at the outset of this disruption effort, Microsoft and its partners did not expect to fully eliminate the ZeroAccess botnet because of the complexity of the threat. Rather, our focus was to protect people by cleaning the computers infected with the malware so they could no longer be used for harm. As we expected, less than 24 hours after our disruptive action, the cybercriminals pushed out new instructions to the ZeroAccess-infected computers in order to continue their fraud schemes. However, because we were monitoring their actions and able to identify new Internet Protocol (IP) addresses the criminals were using to commit their crimes, Europol’s European Cybercrime Centre (EC3) took immediate action to coordinate with member country law enforcement agencies, led by Germany’s Bundeskriminalamt’s (BKA) Cyber Intelligence Unit, to quickly track down those new fraud IP addresses.

After BKA’s quick response, the bot-herders released one additional update to the infected computers that included the message “WHITE FLAG,” which we believe symbolizes that the criminals have decided to surrender control of the botnet. Since that time, we have not seen any additional attempts by the bot-herders to release new code and as a result, the botnet is currently no longer being used to commit fraud.

The cybercriminals’ decision to halt their activities underscores how effective partnerships are in the fight against cybercrime. Microsoft’s partnership with EC3 was crucial to the success of this disruption. In turn, EC3’s coordination with member-state law enforcement agencies like BKA in Germany and the National Hi Tech Crime Units from the Netherlands, Latvia, Switzerland and Luxembourg demonstrates the need for international cross-jurisdictional cooperation at a speed equal to the criminal cyber threats affecting people globally.

We would like to thank all of our partners for their work to combat the ZeroAccess botnet. Microsoft is committed to protecting the public from cyber threats, and trustworthy partnership with the research and law-enforcement community is a critical component of this. We will continue to work closely with the security community globally in disruptive actions that help protect our customers and put cybercriminals out of business.

Now that Microsoft has closed the civil case, and law enforcement continues their criminal investigations to pursue the individuals behind the botnet, we must continue to focus our efforts on working with ecosystem partners around the world to notify people if their computer is infected.

As we originally shared, ZeroAccess is very sophisticated malware, and it actually blocks attempts to remove it, so we recommend that people visit for detailed instructions on how to clean their computers.

ZeroAccess was the first botnet operation completed since Microsoft opened the Cybercrime Center in November. The Cybercrime Center, which combines Microsoft’s legal and technical expertise with cutting-edge tools and technology to fight cybercrime, enables DCU to more effectively work with partners to fight cybercrime. I am confident you’ll hear of additional important work coming out of the Center in the months ahead.

To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Categories: botnets, Digital Crimes Unit Tags:

Microsoft, Europol, FBI and industry partners disrupt notorious ZeroAccess botnet that hijacks search results

December 5th, 2013 No comments

The following is a post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

For the third time this year, Microsoft’s Digital Crimes Unit has successfully disrupted a dangerous botnet that has impacted millions of innocent people. Today, we’re pleased to announce that Microsoft, in conjunction with Europol’s European Cybercrime Centre (EC3), the Federal Bureau of Investigation and technology industry leaders such as A10 Networks, has taken action against the rampant Sirefef botnet, also known as ZeroAccess. The ZeroAccess botnet has infected nearly two million computers all over the world and cost online advertisers upwards of $2.7 million each month.

ZeroAccess targets all major search engines and browsers, including Google, Bing and Yahoo!. The majority of computers infected with ZeroAccess are located in the U.S. and Western Europe. Similar to the Bamital botnet, which Microsoft and industry partners took action against in February, ZeroAccess is responsible for hijacking search results and directing people to potentially dangerous websites that could install malware onto their computer, steal their personal information or fraudulently charge businesses for online advertisement clicks. ZeroAccess also commits click fraud.

Due to its botnet architecture, ZeroAccess is one of the most robust and durable botnets in operation today, and was built to be resilient to disruption efforts, relying on a peer-to-peer infrastructure that allows cybercriminals to remotely control the botnet from tens of thousands of different computers. Most often, computers become infected with ZeroAccess as a result of “drive-by-downloads,” where the cybercriminals create a website that downloads malware onto any unprotected computer that happens to visit that site. Computers can also become infected through counterfeit and unlicensed software, where criminals disguise ZeroAccess as legitimate software, tricking a person into downloading the ZeroAccess malware onto their computer.

Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet. However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes. We would like to thank A10 Networks, who provided Microsoft with advanced technology to support the disruptive action.

Microsoft is working with ecosystem partners around the world to notify people if their computer is infected, and will be making this information available through its Cyber Threat Intelligence Program (C-TIP). ZeroAccess is very sophisticated malware, blocking attempts to remove it, and we therefore recommend that people visit for detailed instructions on how to remove this threat. Because Microsoft found that the ZeroAccess malware disables security features on infected computers, leaving the computer susceptible to secondary infections, it is critical that victims rid their computers of ZeroAccess by using malware removal or anti-virus software as quickly as possible.

This is the first botnet action since the Nov. 14 unveiling of the new Microsoft Cybercrime Center – a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s eighth botnet action in the past three years. Similar to Microsoft’s Citadel botnet case, ZeroAccess is part of an extensive cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.

More information about Thursday’s news against ZeroAccess is available here. This case and operation are ongoing, and we’ll continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Categories: botnets, Digital Crimes Unit, security Tags:

Get gamed and rue the day…

October 26th, 2011 No comments

As we discussed last week, socially engineered threats are specially crafted threats designed to lure the eye and trick the mind – they look legitimate or benign, and in worst case, may take advantage of a trusted relationship, by utilizing a compromised account or familiar website. Social engineering techniques may be used in isolation, but are often used by attackers in tandem with other types of exploit in order to perform the attacker’s real purpose – delivering the payload. What follows is a typical example that illustrates how attackers attempt to exploit both people and systems in order to achieve their goals. 

Last month, Worm:Win32/Gamarue, a bot-controlled worm, was discovered as the payload of a series of browser-hijacks and traffic redirects to malicious servers hosting and performing multiple browser-based exploit attacks.
The initial trigger event was identified as shared content, commented on a social networking site.


When users clicked on a link in a comment from a contact in order to see more information, they were first directed to another profile and then encouraged to click on another link. 


However, this second link directed affected users to malicious content that loaded a hidden iframe (detected as Exploit:JS/BlacoleRef.D SHA1 8da25114758b2e3f454af0346ce7e716ac91c829). This iframe referenced an exploit server hosting a version of the ‘BlackHole’ exploit kit (detected as Exploit:JS/Mult.DJ SHA1 4cba7b2385b7ee7a84992ddaf77aa6d85b72b5ce).  The exploit server attempted to exploit multiple known vulnerabilities in the affected user’s browser, until a successful compromise could be achieved. In our example, a malicious Java applet stored within a Java Archive (.JAR) (detected as Exploit:Java/CVE-2010-0840.FK SHA1 87800737BF703002263E3DBA680E4EE9FE9CA5B0) was observed being loaded on browsers with enabled vulnerable versions of the Java plugin. This Java vulnerability allows an unsigned Java applet to gain elevated privileges and potentially have unrestricted access to a host system outside its “sandbox” environment.  The final result? The installation of Worm:Win32/Gamarue.A (SHA1 427fa7d7aa1e4ee8a57516979711e11e59e51559). When it first appeared this threat did not appear to be detected by any known scanners.


Figure 1 – Method of delivery for Worm:Win32/Gamarue.A

A code fragment of this threat suggests that it may be a new bot called “Andromeda”.  Similar to known bots such as Zeus and Spyeye, Andromeda is also a modularized program which  can be functionally developed and supported using plug-ins.  It is also sold via an underground forum, where pricing varies depending on the version of the bot, the number of domains utilized, and the purchaser’s plugin development requirement.

The elaborate methods used to distribute this threat suggest that along with being mindful of illegitimate attempts to convince you to perform particular actions, and keeping your software updated, your choice of browser really matters.  Microsoft recently launched a new website, which ranks your browser security from 0-4 and provides information on the risks involved in continuing to use older versions. 

As always, we encourage you to stay safe online.

Methusela Cebrian Ferrer


MMPC Threat Report: Cracking open Qakbot

May 27th, 2011 No comments

Today, we’re releasing a Microsoft Malware Protection Center Threat Report on Qakbot as a follow-up to the recently-released Microsoft SIRv10 and our special report on Battling Botnets in late 2010.  This report focuses on one botnet in particular, Qakbot. Qakbot is a backdoor that includes user-mode rootkit functionality to hide itself and also steal sensitive user data from infected machines.

In addition to some of the interesting traits of Qakbot, such as the areas of the world where it’s most prevalent and the types of computers it targets, we found one particular aspect to be quite interesting – where the Qakbot authors may have gotten some of their code.

We have long suspected that the Qakbot authors were taking code samples from the Internet and incorporating them into their malware as the family evolved. Recently, while reviewing some of the earliest samples of Qakbot, we found something interesting: NtIllusion debug strings.

Qakbot NTIllusion Strings

is a rootkit that was first disclosed in an article within the underground security zine called Phrack in July of 2004. It includes functionality to hide processes, files, registry entries, and evidence of TCP/IP communication. It hooks several network communication APIs in order to steal POP3 and FTP passwords. This code still appears in Qakbot today.

You can read about this and more on Qakbot in our Threat Report:


Dan Kurc

Categories: botnets, MMPC, Qakbot, SIR v10 Tags:

MSRT April ‘11: Win32/Afcore

April 13th, 2011 Comments off

This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood.

It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B. Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C. Its main functionality was somewhat simple then and the malware referred to itself as “AICORE” in its debug messages.

The threat family dropped off in telemetry in 2009 and also during this time, it became part of a command & control network, or botnet. The sophistication of the malware increased, by spawning multiple processes and through the use of obfuscation and anti-emulation methodology.

During the evolution and changes to what is now known as Afcore, the communication sent by the malware to the C&C server remains technically the same. The malware makes use of debug messages for version tracking purposes. Some of the debug strings include the following:

  • COM2PLUS_MessageWindowClass
  • Version 3.1-test22(tv7) built on 06/11/08 at 15:32:57
  • Basename: %s, PID: %d (%s)
  • Octopus PID: %d(%i)
  • Shutting down AF . . .
  • Restarting AF . . .
  • Respawning AF . . .
  • User is logging off (%h)
  • AF has exited (%d): %s
  • Windows day %d has elapsed
  • AF 3.1-test22 has caused exception %h at %s+%h (%h)

Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on. When the dropper is executed, it creates randomly named executable and data files, such as the following:

%TEMP%\gnfl.dll – Win32/Afcore
C:\Windows\System32\iaspojcy.dil – Win32/Afcore
C:\Windows\System32\iaspojcy.dat – data file
C:\Windows\System32\comrspl.dat – data file
C:\Windows\System32\kbdmlv47.dat  – data file

The registry is modified to execute Win32/Afcore at Windows start, as indicated below in these examples of modified registry data:

In subkey: HKLM\Software\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Sets value: "(default)"
With data: "iaspojcy"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}\InprocServer32
Sets value: "(default)"
With data: "C:\Windows\System32\iaspojcy.dil"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\iaspojcy
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"

The registry changes allow Win32/Afcore to execute when Windows Explorer runs and when Internet Explorer is launched.

Win32/Afcore injects code from a utility “jb.dll”, known as “jailbreak tool”, to export certificates marked as non-exportable from the Windows certificate store. The certs could then be used by an attacker to access online banking sites in an unauthorized manner. The malware could also perform the following actions:

  • modify the registry to run at Windows start
  • steal private certificates
  • restart or shutdown its currently running process
  • monitor window sockets
  • make connections to a remote host to transmit data

Additionally, Win32/Afcore could monitor network traffic to steal credentials associated with performing online mobile payments. The malware contains the following strings that it uses when monitoring traffic:

  • telegraphic
  • swift
  • remittance
  • foreign
  • s.w.i.f.t
  • cross-border

Win32/Afcore contains code that assist in capturing traffic and stealing information communicated when visiting websites containing the following strings, two of which are associated with National Health Service sites:

  • **
  • **
  • *.hilton.*
  • *.yahoo.*
  • *.google.*

The trojan monitors communication sent via secure hypertext transfer protocol (HTTPS) as well. Win32/Afcore has been known to communicate with servers named “” and “”. The IP addresses reported for these servers were located in Germany.

The addition of Win32/Afcore to MSRT this month comes at the request of the FBI and the Department of Justice to support a takedown operation which is discussed here:

Microsoft is pleased to work with law enforcement, industry and academia when it leads to a safer computing environment for all of us. It is gratifying to see law enforcement agencies around the world taking aggressive steps to curb criminality on the Internet. Kudos to all of those involved.


— Jaime Wong & Jeff Williams, MMPC

Categories: botnets, DoJ, FBI, MSRT, Win32/Afcore Tags:

Operation b107 – Rustock Botnet Takedown

March 18th, 2011 Comments off

Just over one year ago, Microsoft- with industry and academic partners- utilized a novel combination of legal and technical actions to take control of the Win32/Waledac botnet as the first action in Project MARS (Microsoft Active Response for Security).  Today, a similar action has had its legal seal opened allowing us to talk more openly about recent activities against the Win32/Rustock botnet.

Comparatively, Waledac was a much simpler- and smaller- botnet than Rustock.  It is, however, because of legal and technical lessons learned in that set of actions that we were able to take on the much larger challenge of Rustock- a botnet with an estimated infection count above one million computers and capable of sending billions of spam messages per day. Some statistics suggest that, at peaks, it represented as much as 80% of spam traffic and in excess of 2000 spam messages per second.


Our efforts here represent a partnership between Microsoft’s Digital Crimes Unit, the Microsoft Malware Protection Center and Trustworthy Computing. This was a multi-month effort which had its denouement yesterday with a coordinated seizure of command and control servers under court order from the U.S. District Court for the Western District of Washington carried out by the U.S. Marshals Service as well as authorities in the Netherlands.  Investigators are now inspecting the evidence captured in these seizures from five hosting centers in seven locations in order to, potentially, learn more about those responsible and their activities.


Efforts like this are not possible without collaboration with others.  For this effort, we worked with Pfizer—whose brands were infringed by fake-pharma spam coming from Rustock. We also worked with our colleagues at FireEye and the University of Washington.  All three provided valuable declarations to the court on the behaviors of Rustock and the specific dangers posed by this threat- dangers to public health in addition to those affecting the Internet. 


We are continuing our work with both CERTs and ISPs around the world to reach out to those whose computers are infected and help clean them of viruses. If you believe a computer under your care or that of a family member, friend or colleague may be infected, please make a concerted effort to clean it and get protected with a full antivirus product from a trusted provider.  More support information is available at The announcement from Microsoft’s Digital Crimes Unit can be found on the Official Microsoft Blog and the Microsoft on the Issues blog.


 –Jeff Williams