Microsoft busts Bamital botnet

Posted by Kate Taylor

Microsoft and Symantec say they've taken down a botnet that hit more than eight million computers worldwide.

Bamital's search hijacking and click fraud schemes affected many major search engines and browsers, including products from Microsoft, Yahoo and Google.

"In one instance, Microsoft investigators found that Bamital rerouted a search for 'Nickelodeon' to a website that distributed malware, including spyware that is designed to track the activities of the computer owner," says Richard Domigues Boscovich, assistant general counsel for Microsoft Digital Crimes Unit.

"Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware."

Bamital first emerged in 2009, and has been evolving ever since. It's propagated mainly through drive-by-downloads and maliciously modified files in peer-to-peer networks.

"From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis," says Symantec in a blog.

"Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day."

The takedown was organized by Project MARS – Microsoft Active Response for Security, with a lawsuit filed on January 31 calling for all the communication lines between the botnet and the malware-infected computers under its control to be cut.

Yesterday, says Microsoft, it and the US Marshals Service raided web-hosting facilities in Virginia and New Jersey and seized valuable data and evidence.

"Because the takedown severed the cybercriminals’ ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out.  As such, Microsoft and Symantec have taken proactive action to notify victims," says Boscovich.

"Owners of infected computers trying to complete a search query will now be directed to an official Microsoft and Symantec webpage that explains the problem and provides information and resources to remove the Bamital infection and other malware from their computers."