Why ZeroAccess botnet stopped bitcoin mining

There have been several reports this week detailing how security firm Symantec took down a large portion of a bitcoin mining botnet called ZeroAccess. What few, if any, mention is that the bitcoin mining part of the botnet hasn't been functional for almost six months, because the developers deliberately killed it. The question is, why?

ZeroAccess is a piece of malware that joins an infected computer to a large network of similarly compromised machines. They can then be controlled by a central administrator, commonly called a botherder, who then gets the machines to do his bidding.

Most botnets follow predictable criminal practices, using victims' computers to send spam, or simply harvesting sensitive information on the infected machines, so that cybercriminals can use them to steal money. Others are used for click fraud, in which machines are made to click on profitable online links.

ZeroAccess was different, because it included a bitcoin mining module. The software used infected computers' CPUs to mine for bitcoins, returning the profits to the botherders.

ZeroAccess isn’t a new botnet - Symantec first saw it in the summer of 2011, according to Vikram Thakur, a research with Symantec Security Response. The next major revision emerged a year later, with minor revisions found in between.

But something significant happened in April this year, he said, going on to explain:

“ZeroAccess deprecated the bitcoin mining module back in April 2013. The botnet harnessed the hashing power of all those bots until April 2013 and then pushed out an update which effectively removed the mining module. No mining has happened on the ZeroAccess network since then."

Why would botherders kill a software module which was causing a lot of machines to happily churn out bitcoins?

Many technically astute people reading this will jump to the obvious conclusion, which is that CPU mining is pointless, given the high difficulty caused by the rapidly increasing hash rate on the network. This in turn is being caused by a flood of ASIC mining hardware which is pushing GPUs out of the picture, let alone computationally anaemic CPUs.

Symantec even does the math, taking a relatively old test computer as an example. It used a 2Gb, 3.4GHz Dell OptiPlex GX620 Pentium D machine to see how well the malware might cause it to mine. It used 136.25 Watts per hour to mine at 1.5Mh/sec. Put that next to the machines that KnC Miner just started shipping and it’s like watching a Reliant Robin next to a Ducati.

Gregory Maxwell, one of the core dev team for bitcoin, says that a fast CPU does in the region of 1MH/GHz, meaning that a fast quad core 3GHz machine might do 12MH/s. But are newer machines likely to be among the infected?

“At least in the past, my impression has been that botnet machines tended to be older machines (less likely to have current patches), so more like a single core 2GHz machine— or 1.5Mh/s,” he said.

Even if faster machines are infected, they’re not likely to be using all of their power for mining. These hash rate estimates assume that the computers will be entirely idle, all of the time.

So in practice, the botnet isn’t likely to have a significant effect on the network, argues Maxwell. 1.9 million 1.5 MH/s hosts only equate to around 2.85 TH/s. The network is already hashing at over 1 Petahash per second, which means that this botnet is small potatoes.

But none of this actually matters, thanks to the vast number of users who don’t understand basic IT security and get infected on a regular basis. In ZeroAccess’s case, there were 1.9 million of them.

Let’s assume – for the criminals’ benefit – that the partial CPU utilization and the infection of more powerful machines cancel each other out, and that the average hash rate for the 1.9 million machines on the network was indeed 1.5Mh/sec. The average computer would earn around 41 cents per year, according to Symantec. But 1.9 million of them would mint thousands of dollars per day for the criminals. That’s easy money. Why turn it off?

Thakur has some ideas. The first is bad mining workflow. “The mining pool server had a static domain, which could have been taken down by law enforcement if someone reported the botnet's activities; maybe the botmaster was afraid of being tracked down as a result of having a static domain as part of the payload infrastructure,” he said.

However, there’s a more likely scenario in his mind, which is a basic case of economics. Even if the botherders were making money from illicit mining, they could be making more money, less transparently, making it a basic question of where best to spend the computing power.

Thakur suggests:

“The botmaster did not make nearly as much money through bitcoin mining (think difficulty factor) as compared to click fraud.

Tracking down fraud within the advertising networks is very difficult, making it more lucrative to hide profits behind such an infrastructure.”

These are all educated guesses, and until someone nabs the botherders and interrogates them, we’ll never know for sure.

Our guess is that it’s a combination of the two, and also possibly a knee-jerk reaction to market movements. The botherders quashed the bitcoin mining function in April, when interest in bitcoin reached an all-time high, and when the currency crashed from $266 to $40. Perhaps they decided that the currency value didn’t warrant the extra CPU cycles at that point.

We’re betting that the mining module doesn’t get reactivated now that network hashing power is skyrocketing. Symantec has also just put half a million of the machines out of action in a neat technical move known as sinkholing. The case for reintroducing it is constantly shrinking.

On the other hand, as soon as litecoin – the predominant coin based on the CPU-friendly Scrypt network – reaches mainstream awareness and captures the botherder's attention, we can expect to see botnets taking full advantage. If it happens, that will be a couple of years out.