Microsoft has disrupted a botnet nearly two million computers strong that costs online advertisers upwards of $2.7m a month.
Working with Europol, the FBI and industry partners the software giant filed a lawsuit in Texas and won a judge's order directing Internet service providers to block all traffic to 18 Internet addresses that were used to direct fraudulent activity to the infected machines.
Law enforcement in several European countries served warrants at the same time, seizing servers expected to contain more evidence about the leaders of the crime ring operating the ZeroAccess botnet, which was devoted to "click fraud."
Once a computer becomes infected by ZeroAccess, it hijacks search results and directs people to potentially dangerous websites that could install further malware onto their computer or steal their personal information.
The network of captive machines can also be used in complicated schemes that force them to click on ads without the computer owners' knowledge, cheating advertisers on search engines like Microsoft's Bing as well as Google and Yahoo by making them pay for interactions that have no chance of leading to a sale.
“Because of the sophistication of the threat, Microsoft and its partners do not expect to fully eliminate the ZeroAccess botnet,” the firm said in a blog post.
“However, we do expect this legal and technical action will significantly disrupt the botnet’s operation by disrupting the cybercriminals’ business model and forcing them to rebuild their criminal infrastructure, as well as preventing victims’ computers from committing the fraudulent schemes.”
The coordinated effort marks the eighth time Microsoft has moved against a botnet and a rare instance of it doing serious damage to one that is controlled with a peer-to-peer mechanism, where infected machines give each other instructions instead of relying on a central server that defenders can hunt down and disable.
But the ZeroAccess botnet still had a weakness: The code in the infected machines told them to reach out to one of the 18 numeric Internet addresses.
Microsoft recently opened a new Cybercrime Center in Washington, USA, and is using new tools in its efforts. They are helped by a provision in trademark that allows pretrial seizure of suspected counterfeit goods, including websites that, as in the present case, are spreading tainted versions of the Internet Explorer browser.
The company is working with national computer security authorities in various countries and with Internet service providers to notify individual computer owners with infected machines, hoping to reach most of them before the fraudsters can spread new instructions.
Microsoft has been sharing evidence with the FBI and Europol, the continent's law enforcement coordinating service. National agencies took part in seizure actions in Germany, Switzerland, Latvia, Luxembourg, and the Netherlands.
For now, at least, the fraud by this network has stopped, said Microsoft Assistant General Counsel Richard Boscovich.
The operators of the botnet are believed to be in Russia, while the author of the malicious software distributed on it could be based elsewhere, Boscovich said.