2012-09 sophos.com - The ZeroAccess Botnet – Mining and Fraud for Massive Financ

[julz]

sophos technical paper

The ZeroAccess Botnet – Mining and Fraud for Massive Financial Gain

James Wyke, Senior threat researcher SophosLabs
2012-09

http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx

...
The ZeroAccess botnet that communicates on port 16471 (32-bit) and 16470 (64-bit) is currently downloading plugins that facilitate Bitcoin mining.
...
These statistics clearly show that the Bitcoin mining botnet is the most prevalent, followed by the click fraud botnet with the kernel-mode botnet a very distant third.
...
If we estimate the total size of all ZeroAccess botnets to be 1,000,000 machines and use the statistics acquired from the successful installs data that suggests that the proportion of the total machines that connect to the Bitcoin mining botnet is 62%, then we have 620,000 machines that could be participating in Bitcoin mining.
...
We can see that ZeroAccess’ mining pool is close in size to some of the biggest public pools. These generate huge numbers of Bitcoins, for example the DeepBit pool [14] has mined over 1 million Bitcoins in the course of one year.
...
Using botnets to mine Bitcoins deprives hard-working legitimate Bitcoin miners from generating those coins and therefore receiving payment.
More importantly this activity taints the Bitcoin image. There have been several cases of Bitcoin exchanges being broken into and Bitcoins stolen [17], and there are concerns that the currency may die off like some digital currencies have done so before it [18].
A continued association with botnets and malware does nothing to increase the more widespread adoption of Bitcoin.
...

[1714829438]

1714829438

[JMAHH]

BUMP. Just finished reading this.

The ZeroAccess botnet could be the third largest mining pool in terms of total hash rate. (page 44)

[Mike Hearn]

Very interesting link, thanks.

It sounds like the operators weren't ready to scale up their pool operation, that's the only reason I can think of for why it'd be regularly unavailable. Incidentally google-updaete.com is now an NXDOMAIN.

Scaling a mining pool isn't easy, let alone to millions of nodes. They may have found the amount of effort it took to keep the pool running and performant made it not worth doing. Especially given the complexity of cashing out large quantities of coins.

[JMAHH]

Very interesting link, thanks.

It sounds like the operators weren't ready to scale up their pool operation, that's the only reason I can think of for why it'd be regularly unavailable. Incidentally google-updaete.com is now an NXDOMAIN.

Scaling a mining pool isn't easy, let alone to millions of nodes. They may have found the amount of effort it took to keep the pool running and performant made it not worth doing. Especially given the complexity of cashing out large quantities of coins.

Interestingly, they only make use of the CPU and not the GPU, as the report states. That is a huge loss of potential over a million computers. I was actually wondering why the hackers wouldn't implement a system whereby the GPU would be used an arbitrary number of hours per day (one, two, three)...

[Gabi]

ASIC will make them die  Just some months and goodbye

[Shadow383]

Very interesting link, thanks.

It sounds like the operators weren't ready to scale up their pool operation, that's the only reason I can think of for why it'd be regularly unavailable. Incidentally google-updaete.com is now an NXDOMAIN.

The interesting question is - how long until they patch it to use Stratum? Then they could probably handle far more load...