Security Researcher Found ZeroAccess Malware Botnet To Launch Reflection DDoS Attacks

Security Researcher Found ZeroAccess Malware Botnet To Launch Reflection DDoS Attacks

The ZeroAccess Malware's Botnet Can Be Abused By A MalwareTech Security Researcher.

A security researcher has discovered a way by which he could abuse the ZeroAccess malware's botnet. The purpose of doing, to launch reflection DDoS attacks with an above-average amplification factor.

Now, you might have a question in your mind that What is ZeroAccess? So, it is a Trojan that infects Windows computers and after that, it starts communicating with a command and control. Once it starts communication then the Trojan allows downloading various types of other, more dangerous malware. The malware may include:

• Bitcoin mining software
• Operating hidden from the user's view
• Clickfraud bots

In 2011, ZeroAccess botnet first appeared. It has an effective rootkit component and P2P-like structure. Because of this feature, it even managed to survive a take down attempt orchestrated by Microsoft in December 2013. 

According to the security researcher from MalwareTech, the ZeroAccess allowed its bots to relay messages from one to another. The ZeroAccess used a simple UDP packets, to relay their messages from the C&C server to super-nodes and workers.

As it has a complex mesh structure, so the bot would add extra information to the packet about the information related to the network's structure, once when the UDP packet arrived at a supernode. The added information is around 408 bytes apart from the original 16, for a total of 242 bytes. 

The attacker would be able to send UDP packets to its bots, some of the UDP packets would amplify the traffic by 26.5, and it send back to the victim's IP, as the UDP packets can have their destination address spoofed.

As compare to the other types of reflection DDoS attacks the typical amplification factor is only 2-10, which is exactly half of this types of reflection DDoS attacks, that carrying only 26.5 amplification factor. So, it is considered as a typical reflection DDoS attack.

In order to maximize IPv4 address space usage, most of the bots infect those users that are sitting either behind Network Address Translation or to those software programs that translate public IPs to private IP addresses.

By using this program, we can conclude that to a person carrying DDoS attacks via this technique wouldn't have access of ZeroAccess botnet.

MalwareTech found a way around this issue as well, that allow him to involve ZeroAccess supernode bots into DDoS attacks even if sitting behind a router.