ZeroAccess, often reffered to as max++ and Sirefef, is Trojan horse malware that affects Microsoft Windows operating systems.

Once it infects a machine, it is used to download other malware onto it and create a botnet that remains hidden on a system using rootkit techniques. Most commonly, it is involved in click fraud and Bitcoin mining.

The ZeroAccess botnet is first thought to have been discovered in July 2011. The ZeroAccess rootkit responsible for the botnet spread is estimated to have been present on at least 9 million systems. Experts have been unable to agree on the exact size of the botnet. Antivirus provider Sophos estimated the botnet size at around 1 million active and infected machines in the third quarter of 2012, while security vendor Kindsight estimated that there were 2.2 million infected and active systems.

The bot itself is spread through the ZeroAccess rootkit through a variety of attack vectors. One attack vector is a form of social engineering, where a user is persuaded to execute malicious code either by disguising it as a legitimate file, or including it hidden as an additional payload in an executable which announces itself as – for example, bypassing copyright protection (a keygen).

A second attack vector utilises an advertising network in order to have the user click on an advertisement that redirects them to a site hosting the malicious software itself. A third infection vector used is an affiliate scheme where third party persons are paid for installing the rootkit on a system.

Once a system has been infected with the ZeroAccess rootkit it will start one of the two main botnet operations – Bitcoin mining or Click fraud. Computers involved in Bitcoin mining generate bitcoin for their controller.

The machines used for click fraud simulate clicks on website advertisements paid for on a pay per click basis. The estimated profit for this activity may be as high as $100,000 per day, costing advertisers a $900,000 a day in fraudulent clicks. Typically, ZeroAccess infects the Master Boot Record (MBR) of the infected machine.

In December 2013 a coalition led by Microsoft attempted to destroy the command and control (C&C) network for the botnet. The attack was ineffective though because not all C&C were seized, and its peer-to-peer C&C component was unaffected – meaning the botnet could still be updated at will.

However, in January 2014, Sophos, which had been monitoring the botnet since Microsoft’s action against it, stated: "It seems that, for now at least, the botnet owners have given up, with no new plugins being pushed into the P2P network and no new droppers released onto the Internet.

"The owners still have the capability to try to make the botnet work again as they can seed new files into the network, but with no new droppers being pushed the size of the botnet is rapidly decreasing."