One of the largest Botnet "Sirefef" disrupted by Microsoft

Microsoft teamed up with law enforcement agencies and A10 Networks has disrupted one of the world's largest Botnet "ZeroAccess" that defrauded online advertisers.

ZeroAccess also known as Sirefef is a notorious malware which makes money for cyber criminals through Click fraud - Hijacking victim's search results and generating fake clicks on ads. It also installs Bitcoin miners in the infected machines.

Victims usually get infected by the ZeroAccess through drive by download attacks.

The malware has reportedly infected more than two million computers. It costs online advertisers around $2.7 million per month.

David Finn, executive director and associate general counsel of the Microsoft Digital Crimes Unit said the disruption "will stop victims’ computers from being used for fraud and help us identify the computers that need to be cleaned of the infection"

Microsoft said the action will not "fully eliminate the ZeroAccess botnet due to the complexity of the threat". However, it will significantly disrupt the botnet's operation and will bring loss of revenue for the cyber criminals who behind the ZeroAccess.

The new variant of Zeroaccess Trojan exploits NTFS EA

The latest variant of infamous Zeroaccess Trojan makes use of a new Technique to store its malicious content.  The Trojan exploits a feature provided by the NT File System called Extended Attributes (EA).

"Trojan.Zeroaccess.C uses ZwSetEaFile to write the malicious payload into the EA data of the file %System%\services.exe and ZwQueryEaFile respectively to retrieve and execute it. The threat patches the code to read and execute the EA data directly into the services.exe file by overwriting a portion of the original initialization code" Symantec researcher said.

Researcher says that the infected system file—services.exe—cannot be repaired automatically with the information provided by the file alone because a portion of its original code has been permanently overwritten by the threat.  So users have to restore the file manually from a clean backup.

 Restoring the file is very easy for the Windows Vista and later version users because it allows users to restore the file to a previous version by right-clicking on the file and selecting Restore previous versions.

"As with other NTFS features, accessing the EA requires a specialized API and usually malware writers employ these techniques in the hope that antivirus products do not support them. This results in the payload remaining functional for longer periods of time." researcher wrote.

"As far as Trojan.Zeroaccess.C is concerned, making use of EA marks a new point in its struggle to diversify. This new version does not include the rootkit component anymore, and it infects both x86 (32-bit) and x64 (64-bit) versions of the services.exe file."