Early December last year, Microsoft – in cooperation with certain law enforcement agencies – announced their takedown of the ZeroAccess operations. However, this also unexpectedly affected another well-known botnet, TDSS.
TDSS and ZeroAccess
ZeroAccess is one of the most notable botnets in the world, with its malware known for rootkit capability. This malware is typically downloaded from peer-to-peer (P2P) networks disguised as pirated movie titles. Similarly, TDSS is known for its rootkit technology to bypass and is noted for distributing other malware such as FAKEAV, DNS changers. Both botnets are involved in click fraud operations.
In our previous blog entry, we mentioned how certain ZeroAccess variants redirect to URLs associated with TDSS, suggesting that the two botnets share portions of their command-and-control (C&C) infrastructure. As we monitored the connection between the two botnets, we found that the number of ZeroAccess customer infections and communications significantly dropped the day after the takedown. Among those systems with ZeroAccess infections, only 2.8% attempted (but failed) to communicate with its C&C servers.
Figure 1. ZeroAccess activity from Nov. – Dec. 2013
During the same period, we observed that the click fraud operations of TDSS were noticeably affected. The number of TDSS communications related to click fraud dropped days after December 5, the date when Microsoft announced their takedown of the ZeroAccess botnet. These activities, however, suddenly picked up before the year ended, suggesting that the click fraud side of TDSS is still active and the takedown’s impact may be temporary.
Figure 2. TDSS click fraud activity from Nov. – Dec. 2013
However, the number of TDSS infections and communications were not impacted by the takedown, which indicates that only its click fraud side was affected.
Figure 3. TDSS activity from Nov. – Dec. 2013
The Botnet Connection
This significant decrease in TDSS click fraud operations has something to do with its connection to ZeroAccess’s own click fraud. As we noted in our previous research, since both botnets perform click fraud, they may have exchanged URL lists with each other to generate more money. Proof of this nefarious deal between these two notorious botnets can be seen in the redirection URLs used by ZeroAccess.
When initiating click fraud, we noticed several ZeroAccess variants redirecting to URLs related to TDSS. These redirections in turn, increase the number of clicks gathered by TDSS thus creating more profit for its perpetrators. We also noticed that TDSS malware, in particular versions DGAv14 use the old ZeroAccess domain generation algorithm (DGA) module, while new ZeroAccess variants has adopted DGAv14 features.
Though the ZeroAccess takedown was disruptive to TDSS money-making schemes, its infections and communications remained business-as-usual, which means the TDSS botnet is likely profiting from other botnets.
Trend Micro users are protected from this threat by detecting both TDSS and ZeroAccess variants andblocks access to the related URLs. As an added precaution, we advise users to refrain from downloading files from unverified sites and peer-to-peer (P2P) networks, where ZeroAccess variants are known to be downloaded from.