Microsoft and Symantec “take down” Bamital clickfraud botnet

By Graeme Burton
07 Feb 2013 View Comments

Software vendors Microsoft and Symantec have "taken down" the Bamital botnet following a joint investigation lasting more than three years.

The operation involved shutting down servers that were being used to control hundreds of thousands of PCs. The move also made it temporarily impossible for infected computers to search the web. The companies then offered free tools via messages pushed to the users of infected PCs to enable them to clean up their computers, according to a Reuters report.

Further reading

The messages read: "You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer."

The investigation led to data centres in Weehawken, New Jersey, and Manassas, Virginia, which were raided by police after a warrant was issued by the US District Court in Alexandria, Virginia. The machines were ultimately owned by a parent company in the Netherlands, according to Richard Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit.

Microsoft and Symantec estimate that between 300,000 and 1 million PCs were infected with malicious software that was controlled via the servers in data centres in the two locations.

The PCs were infected with the Bamital family of malware, whose primary purpose is clickfraud by hijacking search engine results to redirect users' clicks to websites of the attackers' choosing, according to Symantec. Bamital also has the ability to click on online adverts without user interaction

"Bamital's origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years," claims Symantec's official corporate blog.

It added: "Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer networks. From analysis of a single Bamital command and control (C&C) server over a six-week period in 2011, we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.

"Bamital redirected end users to ads and content which they did not intend to visit. It also generated non-human initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software," it continued.

According to Reuters, it is the sixth time that Microsoft has obtained a court order to disrupt a botnet since 2010. While previous operations have targeted bigger botnets, this is the first where infected users have received warnings and been offered tools to clean up their machines - although whether many of them have the ability to use the tools, or even trust the message offered, is another matter.

The two companies believe that the company behind the botnet and the associated clickfraud made at least $1m (£640,000) in revenues through the scam.

They have identified 18 people behind the botnet, based in Russia, Romania, the UK, the US and Australia, and plan to analyse the sequestered servers in order to glean more information about their identities and possible whereabouts.

For more information about Bamital, please click here

Symantec has produced an in-depth study of the Bamital family of malware, which can be downloaded here

Reader comments
blog comments powered by Disqus
Windows 10 - will you upgrade?

Microsoft has made an early version of Windows 10 - its next operating system - available for download. The OS promises better integration and harmonisation across platforms, including mobile and desktop. Will your business be upgrading?

35 %
31 %
14 %
20 %