ZeroAccess Virus Using Millions of PCs to Generate Revenue

December 04, 2012 by in tips

ZeroAccess Virus Using Millions of PCs to Generate Revenue

By The Pit Crew

When asked why he robbed banks, the 1920s U.S. bank robber Willie Sutton is credited with delivering the singular: because that’s where the money is. Today the money is in clicks on web links. Each click on a link delivers a visitor to a web site, and each visitor to a web site is a potential customer. Todays online stores buy clicks, and todays Willie Sutton steals them.

Sophos’s James Wyke recently released details on the number of clicks one modern day Willie Sutton is stealing, and how 9M other peoples personal computers are used to do it.

How to steal $96K/day in clicks

The Zero Access virus makes $96K/day (USD) using a new version of the old self-dealing scam:

1. The scammer sets up a web site and publishes ads from one or more ad networks like Google, Microsoft, or Yahoo.

2. The ad networks pay the scammer a small fee for each click on an ad.

3. The scammer clicks on the ads on his own website.

Self-clicking is the essence of the scam.

It’s a lot of manual work to self-click on ads, so todays Willie Sutton writes software programs to do the self-clicking for him. But ad networks can tell if a software program running on a computer is self-clicking because too many clicks are coming from the same one computer. So Willie installs his self-clicking software on a huge number of other peoples personal computers without their permission and makes it really hard to get the program off. And that’s how a malware program is born, more popularly referred to as a virus.

This is the essence of the Zero Access virus. It’s a software program for self-clicking on scammers websites. The virus has infected over 9M peoples computers, with about 400K infections active at any point in time. Those approximately 400K actively running programs each self-click once an hour, 24 hours a day, at 0.01/click, to earn the scammer roughly 96K/day. Further, because it’s a software program, it can update itself to run other scams too, like mailing spam or stealing the credit card number of the computer’s owner.

How to Remove Zero Access

Once the Zero Access is installed on a computer, it’s very difficult for security programs to remove it as this video demonstrates. Zero Access disables a number of Windows security services and takes measures to hide itself from security programs or disable anti-virus software that tries to remove it. There are 1000s of websites and 100s of ways to tackle removing ZeroAccess, but they all boil down to these 4 types of solutions:

The “FREE” Way
There are published guides on how to use a combination of manual steps and freely available software tools to remove the ZeroAccess virus. Technical skill is required.

Free AntiVirus Scan and Removal Recommendations from Bob Rankin

Free AntiVirus Scan and Removal Recommendations from Leo Notenboom

The “PHONE” Way
There are businesses that you can call and they’ll log into your computer over the Internet and a technician will remove the ZeroAccess virus for a fee. Typically the technician follows one of the published guides with the combination of manual steps and freely available software tools.

The “STORE” Way
Most stores that sell computers also service computers, and will remove viruses like Zero Access for a fee.

The “Live USB\CD” Way
The United States Computer Emergency Readiness Team recommends cleaning an infected computer with a “trusted bootable USB”. If assembling a bootable USB with an anti-virus system set up on it is too technically difficult, there are solutions available like the FixMeStick that are easy to use.

The Pit Crew

About The Pit Crew

PC Pitstop's Pit Crew is committed to providing you with the information you need to keep your PC safe and running like new.

33 Responses to ZeroAccess Virus Using Millions of PCs to Generate Revenue

  1. Un virus que no te daña el sistema. Felicitaciones al que lo hizo, se lleno de plata, lastima que no fui yo.


  2. Alex S. Mayorga says:

    Esto es mas publicidad que nada. No hay informacion detallada del virus. Asi la hubiera… felicito al que lo hizo. No daña ninguno de los equipos infectados, solo los "presta" para que hagaln clik por el – ella. Felicitaciones, y… nada de nervios, use my pc y mire a ver si me manda algo de $$$$.


  3. Merete says:

    So how do you know if it is installed? What are the signs if any?


    • The Pit Crew says:

      @Merete: One telltale sign is when you click on Google search result, you are taken to a domain that has nothing to do with what you selected, and it’s all ads.


  4. Streetsinger John says:

    “it’s very difficult for security programs to remove it as this video demonstrates.” What video?


  5. Still having issues with Firefox programs and this.


  6. Jim says:

    HOW can you tell if your PC has the ZERO ACCESS virus?


  7. Mary Jo says:

    This is a strange article. Like hollering" the world is ending" but never giving any info about what can be done.


    • The Pit Crew says:

      @Mary Jo: We’ll be more specific next time for sure. We did think that categorizing all the different types of solutions into 4 categories would help people decide the best next steps for them.


  8. LarryF says:

    This article seems to be a commercial. It gives enough information to cause concern, then talks about solutions… but it subtly discourages the use of most as too difficult for the average user, or to expensive, or as giving your precious computer to strangers.

    The only solution it gives concrete information about is the one with the hyperlink in bright red letters, and for that one, it gives a recommendation from an official-sounding organization I’ve never heard of. And it’s a solution that charges a license fee of $60 a year, like most antivirus companies, except that you might not use it more than once or twice in that year — or at all. And the tech version is $300 every year!

    I’m disappointed with PC Pitstop for publishing this commercial advertisement that is thinly disguised as a real information article. They normally do much better.


  9. can we block the virus with taskkill.


  10. John Sampson says:

    A similar device is required to remove the latest manifestation of Babylon search engine malware (otherwise impossible to remove – even if you religiously follow Babylon’s own removal instructions). It’s a real nasty and who the hell knows whatever else it is up to during its lodgement?


  11. max says:

    So this article is really just here to pimp PC Pitstop’s own FixMeStick.


  12. Richard Waterbury says:

    I use this product never been touched 1.5yrs, Emmunize takes a new approach to virus protection. Instead of letting unknown programs run on your PC as long as they are not on a list of known viruses, Emmunize checks to see if they are on a white list of good programs. If the program isn't listed, Emmunize doesn't let the program execute. So what does that mean?

    Emmunize's "block everything unless its on your white list" approach stops not only the known viruses and threats to your PC, but the brand new ones out there that haven't made it to traditional antivirus' "bad list" yet. With Emmunize, you have a much higher level of protection than the other guys.


  13. Ron Quesada says:

    Unix/Linux users: Haven’t heard of ZA infecting this OS, but it doesn’t mean it can’t in the future. It’s possible that a variant can be created for ANY operating system out there, but if the creator of such viruses will not gain much from than more than likely it won’t happen. It’s like an arsonist decideing if he wants to burn a few trees (MAC/Unix/Linux, or a forest full of trees (Windows). There is a tool called “TDSSKiller” from Kaspersky which you can run to see if you have ZA. Be sure to click on “Change Parameters” and check the “Detect TDLFS file system” option, then scan.


  14. Bob says:

    This article tells me that some people have some mall-ware installed which could give problems to some other people.

    It does not tell me how to find out if I have it. It does not tell me how I should get rid of it if I have it.

    It is about as useful as writing “Sometimes bad things happen” – and about as informative.


  15. Dan Walker says:

    As above, my first question is “How can I know if I have it?”.


  16. David Maxwell says:

    1) Willie Sutton did not actually say this. His actual answer to the reporter was long and convoluted, and the reporter boiled it down to the “quote”
    2) If I understand correctly, the money is actually coming from Google or Yahoo, not the individual user. Since the scam does not actually affect me in any way, I have little interest in worrying about whether I have the virus or not in my computer. This is Google’s problem, not mine. Am I wrong?


    • Henry says:

      @David Maxwell: It’s only their problem untill the C&C server (command and control server) updates the malware to start looking at your bank details etc. Question is: do you really want software on your PC that gives others complete access to it??


    • GD says:

      Yes, you are wrong. Very wrong!

      #1 Sutton robs a bank. You do not have money in that bank, so bank robbery is not your problem?

      #2 Google/Yahoo are theft victims. To cover the theft they raise prices. In the end you pay more. Not your problem?

      #3 If you are not part of the solution, then you are part of the problem.

      .


  17. Juris... says:

    That’s good info, but how about sharing with your readers how to remove the virus the free way and the “ive USB Way.”

    That would be more beneficial, don’t you think?


  18. Eric says:

    i have the same question as nancy above. you listed the virus, but did not give any indicators on telling if you have it or not. to the best of my knowledge my system is clean, and its not acting screwy, but. how do i KNOW its clean.


  19. Bill says:

    How do I know if I have Zero Access virus?


  20. how do you know if you have this virus?


    • Brad VanHorn says:

      I would suggest going to an online scanner like Trend Micros House call. Its more asp to find it then the scanner on your computer that the cirus is hiding from


  21. can a Zero Access virus infect (UNIX/LINUX) operating systems as that is what I am using now instead of Microsoft Windows.


  22. bern says:

    Please use correct English writing structures or get a copy reader to correct your errors.
    Thanks,
    B

    PS Show the reader some of the “Free Ways” B


  23. DELINDA GARNDER says:

    Well, I have PitStop…doesn’t it protect me from this virus??


  24. THEVOlCEOFREASON says:

    More aptly put, just a few more clicks, log into a popular untrusted 3rd-party social site, buy the software directly from the scammer, add to the number of click-throughs originating from a supposed ‘help’ article and leave postive feedback — ultimately “sharing” your virus with all your friends & family. Oh, wait… what have I done!?


Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Scan with PC Matic

Sign up for our FREE Newsletter

Our weekly newsletter is packed with computer tips & tricks.
As a bonus, receive monthly emails with exclusive offers.

Which device is the most important to you?

View Results

Loading ... Loading ...


Contributors