A White paper by James Wyke, Senior Threat Researcher at SophosLabs examines the changes made in the ZeroAccess Rootkit and takes a closer look at the botnet itself, exploring its size, functionality and purpose. It also explains how the peer-to-peer protocol works, what network traffic is created, and the plugin files that the botnet downloads – what these files are, what they do and how they work.
Download Sophos paper from here – http://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/Sophos_ZeroAccess_Botnet.pdf?dl=true