ZeroAccess is used by criminals for a variety of scams including forcing machines to visit certain websites and engaging in click fraud through search engines such as Google, Bing and Yahoo, costing advertisers as much as $2.7m a month, Microsoft said.
As such the botnet has been the scourge of the security community for some time. Last week Microsoft secured a legal order to block communications between infected machines in the US and 18 IP addresses linked to ZeroAccess. Microsoft has also taken control of 49 domains associated with the botnet.
The action comes soon after Microsoft announced the opening of its dedicated Cybercrime Centre. David Finn, executive director of the Microsoft Digital Crimes Unit, said it underlined the efforts the firm would go to disrupt cyber criminals and their tools.
“The co-ordinated action taken by our partners was instrumental in the disruption of ZeroAccess; these efforts will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection,” he said.
“Microsoft is committed to working collaboratively – with our customers, partners, academic experts and law enforcement – to combat cybercrime."
The FBI, which was also involved in the disruption of the ZeroAccess botnet, said the effort should prove to criminals that it would not overlook cybercrime in is efforts.
“If the hacker community has not yet taken notice, today’s disruption of the ZeroAccess botnet is another example of the power of public-private partnerships,” said Richard McFeely executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch.
“It demonstrates our commitment to expand co-ordination with companies like Microsoft and our foreign law enforcement partners – in this case, Europol – to shut down malicious cyber attacks and hold cyber criminals accountable for exploiting our citizens’ and businesses’ computers.”
Renowned security researcher Brian Krebs said that while the action would not put ZeroAccess out of action it could help Microsoft and legal authorities gain more insight into its behaviours.
“While this effort will not disable the ZeroAccess botnet (the infected systems will likely remain infected), it should allow Microsoft to determine which online affiliates and publishers are associated with the miscreants behind ZeroAccess, since those publishers will have stopped sending traffic directly after the takedown occurred,” he said.
The action by Microsoft follows efforts by security vendor Symantec to sink hole an estimated 500,000 machines that had been infected by ZeroAccess. This freed the infected machines from the servers that had been communicating with the malware on their systems.