We have tonnes of customers on our WISP with the ZeroAccess trojan (see: http://en.wikipedia.org/wiki/ZeroAccess_botnet) and it’s becoming a burden on our network.
Is there a way in some realistic manner to actually just kill activity from this trojan on one of our core mikrotik devices? Some tell-tale thing we might be able to block or something?
Not sure what a practical way to go about this might be, any advice?
You need to identify traffic of that trojan, then find the consistency (ether some IP header field, or some pattern to use in layer-7 filter) and then block it.
As far as my research goes, the ZeroAccess basically just throws port 80 GET HTTP requests to various adsense URLs, or mines bitcoins and connects to bitcoin wallets. It’s pretty hard to tell the difference between legitimate users doing these things versus a bot doing it.
Obviously, Google have a way to detect it and they’re using that method to block us. Curious as to what those methods might be, so wondering if anyone else has ever managed to get around something like this.