Microsoft Wages War Against 'ZeroAccess' Scammers

Dennis Faas's picture

Microsoft says it has significantly disrupted, though perhaps not destroyed, a major network of infected computers (also known as a 'botnet'). It's estimated those behind the scheme have generated $2.7 million a month in revenue.

The ZeroAccess botnet is thought to involve more than two million computers infected with a kind of malware that allows cybercriminals to remotely control these systems.

Rather than try to steal personal data from the computers, the operators used this control to run a major advertising scam. In effect, the operators set up websites to sell pay-per-click advertising, often through agencies so that the advertisers don't keep tabs on where the ads appear.

This way the advertisers don't pay a fixed rate, like in a newspaper or a TV commercial. Instead, they pay a small fee every time somebody who sees the ad clicks on a link in it, taking them to the advertiser's site.

Zombie PCs Clicking Ads 24 / 7

In this case the scammers were forcing the infected computers to repeatedly follow the links as if a user had clicked the ad, thus racking up the payments.

Each of the botnet systems was "clicking" up to 48 ads an hour, doing so for as long as the computer was switched on and connected to the Internet. (Source:

Those people whose computers were infected might have noticed a slight decrease in system performance. However, it was a major problem for advertisers who were wasting money on the bogus ad clicks.

That meant less money available to pay for genuine ads on sites people actually want to visit. In essence, the scam harmed websites reliant on advertising revenue to keep operating.

Botnet Interrupted by Physical, Virtual Tactics

Tackling the botnet was a major legal and logistical operation, as the server computers issuing commands to the infected computers were based in 18 locations across Europe.

Microsoft took the case to a Texas court and got a ruling that allowed it to take three steps to disrupt the botnet.

First, it was allowed to block communications between the European servers and infected computers based in the US.

Second, it was given control of website domains used in the scam. Most of the infected computers were visiting these domains in order to contact the cybercriminals' servers for instructions.

Finally, Microsoft handed details over to Europol, a partnership between law enforcement agencies across Europe. Officers in five countries carried out raids to physically seize the cybercrooks' servers, which had been issuing the instructions. (Source:

Rate this article: 
Average: 2 (1 vote)