Tag Archive: botnet

Microsoft and Symantec take down Bamital

Bamital wasn’t the biggest botnet around, but its operators were still up to no good — and that ultimately put it in the crosshairs of both Microsoft and Symantec.

The two companies decided to partner up and take action, raiding locations in New Jersey and Virginia. Several servers that were believed to be issuing commands to zombie systems were taken offline, including one that had been pinpointed in The Netherlands.

Just prior to the takedown, Microsoft and Symantec estimate that Bamital was in control of somewhere between 300,000 and 1 million computers. Users of compromised systems were then hijacked while browsing the web — redirected away from legitimate websites like Symantec’s own products pages and deposited instead on sites pushing fakeAV software and other malware.

Now that the servers in charge of those redirects have been shut down, users will be sent to a Microsoft alert page instead. The page provides links to two cleanup tools (one from Microsoft and another from Symantec) to help users get rid of the malicious Bamital code that’s still residing on their systems.

This is just the latest victory in a series of strikes against major botnets. Microsoft has participated in a half dozen such actions in recent years, helping to shut down nasty networks like Zeus, Rustock, and Waledac.

Richard Boscovich of Microsoft’s digital crimes unit believes that the Bamital operation was a complete success, but notes that “only time will tell.” The criminals behind Bamital may not have shown all their cards yet, and it’s possible that the botnet could rise from the ashes. The good guys will be waiting and watching, however, and they’ll surely strike again if that happens.

It sounds like the plot of movie: two major software corporations join together to shut down an evil global cyber crime operation and engage in wacky hijinks along the way. While the latter can be neither confirmed nor denied, according to an exclusive report by Reuters, Microsoft and Symantec did shut down servers that had been controlling hundreds of thousands of PCs without their users being any the wiser.

Bamital botnet’s—the major cyber crime operation’s—main attack involved hijacking search results, among other schemes, that would allow them to fraudulently charge businesses with online ad clicks. The over 18 ringleaders from around the world registered websites and rented servers using pseudonyms. This allowed Bamital to redirect users’ search results to the fraudulent websites, where they would be able to benefit from any subsequent clicks.

Technicians raided data centers with US federal marshalls in tow and were able to persuade operators to take down a server all the way in the Netherlands. According to Microsoft’s and Symantec’s estimations, somewhere between 300,000 and 600,000 were carrying the malware that tethered them to Bamital botnet.

Of course, shutting down the servers meant that infected PCs were temporarily unable to surf the web, but free tools to clean out the malware are automatically being sent to the infected machines along with the following message:

You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.

And both companies lived happily ever after. [Reuters]

Image: Shuttershock/lolloj

%d bloggers like this: