Symantec is in the process of sinkholing the ZeroAccess botnet, but in doing so has managed to answer the curious question of whether it's more profitable for criminals to use bots to mine for Bitcoins or conduct click fraud.
In a blog post by the company, it reveals that the botnet as now reached about 1.9 million machines, more hosts than some legitimate Bitcoin mining pools attract.
While Bitcoin mining is a perfectly legal activity, it has become significantly harder in more recent years, often requiring specialised hardware with "application-specific integrated circuits", or ASICs, to mine for the coins in order to make it profitable. But running hardware to mine all day takes electricity, so on average, mining on a modern day PCs can actually cost more than the value of the Bitcoins mined.
Of course, as Symantec points out, that doesn't matter if you're a criminal stealing others' resources. The company makes a couple of assumptions for the value of Bitcoin, the average processing power of a bot, and how much extra electricity is consumed because of the mining process.
It estimates that across all 1.9 million bots, the additional electricity will cost US$560,887 per day. But the return is only US$2165 in Bitcoin. Of course, the value of the Bitcoin varies wildly, and has increased from its US$131 value (which is used in the calculation) to about US$140 today, but it still comes no where near the cost of electricity. Furthermore, Symantec's calculations come at the assumption that these machines are operating 24 hours a day, so the actual number of Bitcoins mined is likely to be lower.
A better case for criminals is click fraud, according to the math that Symantec has done. Using the commandeered machines, criminals trick advertisers into thinking that pay-per-click advertisements have been visited and/or viewed by members of its botnet. With 1.9 million bots generating around 42 false clicks per hour, Symantec believes that criminals could be raking in tens of millions of dollars a year.
Clearly click fraud is the better return on investment, but the two aren't mutually exclusive — ZeroAccess does both at the same time.
In the meantime, Symantec is still attempting to stop the spread of the botnet. It is a particularly difficult task because unlike many botnets that have few central command and control centres, ZeroAccess is almost completely peer-to-peer based. Nevertheless, the security company says it has been able to take down a large portion of bots by disrupting how they are able to communicate with each other.