The goal of this trojan is to earn money through Click Fraud... It is a type of crime that abuses pay-per-click advertising to make money through fraudulent or fake clicks on advertisements. ZeroAccess makes money when it generate clicks on Ads. In addition, ZeroAccess has is own botnet. It is ideal for generating a large number of clicks.
I got a sample of this trojan. I uploaded the binary to Virustotal and only 3 antivirus programs detected it as a trojan. If you want a copy, contact me at the botton of this page.
Currently, you can see how many antivirus programs detect the file as malware:
I created a virtual machine and I executed this program in a fresh environment.
The first thing ZeroAccess does is connect to http://j.maxmind.com/app/geoip.js in order to locate the infected host in the world.
The second thing the trojan does is connect with some visit counters. It seems the botnet wants to know how many hosts it has infected.
Then, the trojan makes malformated DNS requests... Wireshark detects them as DNS traffic because these packets are sent over port 53 assigned to DNS traffic. Really it isn't DNS traffic, the trojan is establishing connections with the C&C (command and control) servers and the packets are ciphers.
Finally, the trojan begins to generate traffic over port 16464/UDP.
Each time that I restart the virtual machine, ZeroAccess creates a new code to send to other infected hosts over port 16464/UDP.
Notice that part of the code is always the same: 28948dabc9c0d19. Maybe it is the the node where my computer is connected.
ZeroAccess generates some traffic over port 123/UDP. It's the same case than DNS traffic too. It's not a real NTP traffic.
Your can continue reading ZeroAccess Trojan - Network Analysis Part II