Endpoint
2/7/2013
05:00 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Microsoft, Symantec Team, Topple Bamital Botnet

More than 8 million users were infected by the now-crippled click-fraud botnet over the past two years -- but can the botnet make a comeback?

Microsoft has flexed its legal muscle again to disrupt yet another botnet: this time, the click-fraud Bamital botnet, the sixth such botnet-takedown operation launched by the software giant in three years.

In a Jan. 31 lawsuit filed with the U.S. District Court for the Eastern District of Virginia, Microsoft took action against 18 "John Does" for their alleged role in the botnet operation and ensuing advertising fraud scheme that has infected "multiple thousands" of users to unknowingly do their bidding to redirect online ad revenues to the criminals behind it. Microsoft requested -- and was granted by the court -- permission to shut down communications between the botnet's command-and-control (C&C) servers and the infected bots.

More than 8 million computers have been infected with Bamital over the past two years, according to Microsoft and Symantec, which assisted Microsoft in the operation to derail the botnet. Yesterday, Microsoft and U.S. Marshals seized data and other evidence on the botnet from Web hosting provider sites in Virginia and New Jersey as part of the so-called "Operation b58" effort.

But as with any botnet, the effects of a disruption operation may only be temporary. Gunter Ollmann, CTO of IOActive, says the catch is the botnet's use of the Domain Generation Algorithm (DGA), an obfuscation method employed by some botnets. DGA lets botnet operators hide their C&C servers by using an algorithm to reach out dynamically to multiple servers rather than static servers that could more easily be spotted.

Ollmann says DGA is designed to overcome a takedown. The best hope for eradicating Bamital is any valuable forensics information from the servers that points to the bad guys, he says.

Jeff Williams, director of security strategy for the Counter Threat Unit at Dell SecureWorks and formerly with Microsoft's Digital Crimes Unit, says while it's possible for the botnet operators to retrench at some point, the actions by law enforcement and Microsoft should serve as a healthy deterrent.

"It is unclear the lasting impact of any takedown. However, Microsoft's track record in this space has been quite good both in terms of immediate dilution of the threat and long-term ability to keep the threat and their actors at bay," Williams says. "The combination of technical measures to disrupt the communication channels used for control of the botnet alongside legal measures to take control of domains and to seize hardware for forensic examination and the investigation regarding the actors responsible is a strong combination. Adding to this, many of the actions taken to date have created new precedents which can be leveraged in future actions both by Microsoft and other Internet defenders."

Victims whose machines were infected by the botnet malware will be redirected to a Web page set up by Microsoft and Symantec that directs them on how to disinfect their machines. "As in past botnet actions, Microsoft is also using the intelligence gathered in this operation to work with Internet service providers and Computer Emergency Response Teams to help victims regain control of their computers," said Richard Domigues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit, in a blog post announcing the takedown.

Boscovich said that not only did Bamital defraud online advertising, but it also redirected victims to shady websites that contained spyware and other malware that could be used for identity theft and other nefarious activity. "For example, in one instance, Microsoft investigators found that Bamital rerouted a search for 'Nickelodeon' to a website that distributed malware, including spyware that is designed to track the activities of the computer owner," Boscovich said. "Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware."

Bamital, which has been around since at least late 2009, hijacks search engine results and redirects victims to the bad guys' C&C server, which then sends the victim poisoned search results of its own. Users mainly have been infected by the botnet via drive-by downloads and malicious files, according to Symantec.

During one six-week period in 2011, Symantec saw more than 1.8 million unique IP addresses talking to one Bamital C&C server, with an average of 3 million hijacked clicks daily.

[Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage.]

Bamital is just one of many click fraud-type operations, however. "There are a number of botnets involved in click-fraud and DNS manipulation," SecureWorks' Williams says. The U.S. Department of Justice and FBI's operation to shut down Coreflood is one example of a DNS-changing malware attack that was disrupted, he says

Williams estimates that the Bamital operators have likely made millions of dollars off of their scheme. "Money which can be reinvested in additional infrastructure, purchase of exploits, or other underground services and research and development of future threats," he says.

Either way, the takedown effort by Microsoft and Symantec has injured the Bamital operators.

"This takedown will help in the short term ... by disrupting the activities of the parties responsible and preventing them from deriving revenue from the infected computers. In the longer term, the forensic discovery, the attribution of parties involved, and any subsequent law enforcement action can create a chilling effect against potential bad actors going forward, and the legal precedents created can help Microsoft and others to conduct additional operations aimed at disruption of malware operations," SecureWorks' Williams says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web