A botnet known as “ZeroAccess” or “Sirefef” was disrupted and essentially shut down back in 2013 after a number of law enforcement groups were able to take some decisive action against it. This botnet was largely focused on advertising fraud, where the infected computers would click on PPC ads in ways that would avoid any type of detection.
The Dell SecureWorks Counter Threat Unit has noticed that the botnet began to reactivate back in March of 2014, but wasn’t actively performing any type of click-fraud at the time. The team, however, has reported that as of January 15th, 2015 it appears that the network is beginning its ad fraud efforts once again.
They estimate that the botnet has about 55,000 systems infected, which is not extremely large compared to many other botnets. It is not always necessary, however, to have the largest number of infected systems to still make a large amount of money from this type of fraud.
In fact, the smaller networks may be preferable in some cases. Jeff Williams is the director of security strategy with the Dell SecureWorks CTU and recently said, “The current campaign may be small by design [perhaps in order to] evade detection, and it may be largely outside of the United States and Europe as a method to avoid those law enforcement agencies which were involved in the takedown operation.”
Whether intentional or not, the 55,000 strong network is going to be able to rack up a significant amount of clicks, and it will do it in a way that is extremely difficult for the ad networks to detect. The owners of these botnets create sophisticated programs that will make the browsing activity and clicks seem authentic.
You can read the entire release about the ramping up of activity on Dell’s SecureWorks website, HERE.
