ZeroAccess is a enormously widespread malware threat that has harassed individuals and enterprises for years. It’s evolved over time to cater for new architectures and new versions of Windows.
SohosLabs has analysed previous ZeroAccess bots and rootkits in depth. The botnet is not ran by the usually protocols of IRC and HTTP, ZeroAccess connects to a Peer to Peer botnet.
Sohpos’s research has discovered that the ZeroAccess botnet is currently being used for two main purposes: Click fraud and Bitcoin mining.
If running at maximum capacity the ZeroAccess botnet is capable of making a staggering amount of money: in excess of $100,000 a day.
Sophos researchers have also reverse-engineered the mechanisms by which the ZeroAccess owners keep tabs on the botnet, and came across an array of formulas applied that are configured to bury the call-home network communications in legitimate-seeming traffic.
An analysis of the rootkit that dates back to 2011 by Webroot can be viewed here: http://pxnow.prevx.com/content/blog/zeroaccess_analysis.pdf