SohosLabs has analysed previous ZeroAccess bots and rootkits in depth. The botnet is not ran by the usually protocols of IRC and HTTP, ZeroAccess connects to a Peer to Peer botnet.
Sohpos’s research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining.
If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day.
Sophos researchers have also reverse-engineered the mechanisms by which the ZeroAccess owners keep tabs on the botnet, and came across an array of formulas applied that are configured to bury the call-home network communications in legitimate-seeming traffic.
An analysis of the rootkit that dates back to 2011 by Webroot can be viewed here: http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf