Microsoft and Symantec Take Down Bamital Botnet That Hijacks Online Searches

The following is a post from Richard Domigues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.

As reported by Reuters earlier today, the Microsoft Digital Crimes Unit, in collaboration with Symantec, has taken down the dangerous Bamital botnet which hijacked people’s search results and took them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks. Microsoft and Symantec’s research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google. Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone.

Microsoft and Symantec are proactively informing people that their computers are infected with Bamital through the use of an official webpage that offers victims an easy to use method to remove the infection.

While the Bamital botnet defrauded the entire online advertising platform, which is what allows the Internet and many online services to be free, what’s most concerning is that these cybercriminals made people go to sites that they never intended to go and took control of the computer away from its owner. Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections.  For example, in one instance, Microsoft investigators found that Bamital rerouted a search for “Nickelodeon” to a website that distributed malware, including spyware that is designed to track the activities of the computer owner. Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware.

This takedown, known as Operation b58, is the sixth botnet disruption operation in three years by Microsoft as part of our Project MARS – Microsoft Active Response for Security – program and the second done in cooperation with Symantec. Based on the successes of prior botnet operations, Microsoft and Symantec used a combined legal and technical action to take down Bamital. Specifically, on January 31, Microsoft filed a lawsuit supported by a declaration from Symantec against the botnet’s operators in order to sever all the communication lines between the botnet and the malware-infected computers under its control. The court granted Microsoft’s request and on February 6, Microsoft – escorted by the U.S. Marshals Service – successfully seized valuable data and evidence from the botnet. The evidence was taken from web-hosting facilities in Virginia and New Jersey.  

Taking down the Bamital botnet is the first step in protecting people. It’s important to note that while the cybercriminals in this case used the Bamital malware to break victims’ search experience, it was done in such a sneaky way that most victims wouldn’t have even noticed a problem while the botnet was still operating. However, because the takedown severed the cybercriminals’ ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out.  As such, Microsoft and Symantec have taken proactive action to notify victims.  Owners of infected computers trying to complete a search query will now be directed to an official Microsoft and Symantec webpage that explains the problem and provides information and resources to remove the Bamital infection and other malware from their computers. As in past botnet actions, Microsoft is also using the intelligence gathered in this operation to work with Internet service providers and Computer Emergency Response Teams to help victims regain control of their computers.

We’ve found that cleanup efforts like this not only help clean people’s computers, but they also take the very infrastructure the botnet needs to be impactful and profitable away from the cybercriminals. Because the data gathered from this takedown will become part of Microsoft’s ongoing research in support of protecting its customers from a range of evolving online security threats, we can actually use the criminals’ infrastructure against them and make it harder and more expensive for them to commit cybercrime.

For those worried that their computer might be infected, Microsoft offers free tools and information at that can help people remove Bamital and other malware from their computers.

 This case and operation are ongoing, and we’ll continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.  More information on this case can be found from Symantec and Microsoft Security.  Meanwhile, images of the seizure and the malware at work can be found here.

Tags: ,