2

I'm interested in the recommended course of action for when you find a (Windows) system infected with the ZeroAccess botnet.

I've seen various blog posts online recommending that the user download and run a script, which will remove the botnet, but in your opinion is this enough, or is a full re-install recommended?

Thanks

JMK
  • 2,486
  • 7
  • 28
  • 39

1 Answers1

4

Some background: The Zeroaccess rootkit/botnet is a multi-purpose, highly resilient bit of malware. It causes compromised devices to participate in click-fraud and mine Bitcoins. Compromised devices participate in a peer-to-peer Command and Control network, which makes the botnet resilient against takedown measures.

Overall, it is a very clever bit of malware that is still being investigated in detail:

Ross Gibb and Vikram Thakur will be presenting their findings from this operation at the annual Virus Bulletin Conference to be held in Berlin, October 2-4, 2013. In addition, a comprehensive white paper will be released soon to coincide with the presentation laying out the inner details of the ZeroAccess threat.

Given how well-written this malware is, the usual recommendation applies - the only way to be certain is to rebuild the device from known good media.

If this machine is one you use regularly, then you should strongly consider rebuilding it ("rebuild" here means to reinstall or restore your Operating System to factory defaults).

If you must give up some security in order to save time or money, then there are some removal tools out there from reputable vendors: Symantec, AVG, ESET, McAfee to name a few.

Perhaps if the infected computer is only used by your 8 year old nephew to play Angry Birds, you could consider just using a removal tool or process.

scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54