Microsoft, Symantec Team, Topple Bamital Botnet

More than 8 million users were infected by the now-crippled click-fraud botnet over the past two years -- but can the botnet make a comeback?

Microsoft has flexed its legal muscle again to disrupt yet another botnet: this time, the click-fraud Bamital botnet, the sixth such botnet-takedown operation launched by the software giant in three years.

In a Jan. 31 lawsuit filed with the U.S. District Court for the Eastern District of Virginia, Microsoft took action against 18 "John Does" for their alleged role in the botnet operation and ensuing advertising fraud scheme that has infected "multiple thousands" of users to unknowingly do their bidding to redirect online ad revenues to the criminals behind it. Microsoft requested -- and was granted by the court -- permission to shut down communications between the botnet's command-and-control (C&C) servers and the infected bots.

More than 8 million computers have been infected with Bamital over the past two years, according to Microsoft and Symantec, which assisted Microsoft in the operation to derail the botnet. Yesterday, Microsoft and U.S. Marshals seized data and other evidence on the botnet from Web hosting provider sites in Virginia and New Jersey as part of the so-called "Operation b58" effort.

But as with any botnet, the effects of a disruption operation may only be temporary. Gunter Ollmann, CTO of IOActive, says the catch is the botnet's use of the Domain Generation Algorithm (DGA), an obfuscation method employed by some botnets. DGA lets botnet operators hide their C&C servers by using an algorithm to reach out dynamically to multiple servers rather than static servers that could more easily be spotted.

Ollmann says DGA is designed to overcome a takedown. The best hope for eradicating Bamital is any valuable forensics information from the servers that points to the bad guys, he says.

Jeff Williams, director of security strategy for the Counter Threat Unit at Dell SecureWorks and formerly with Microsoft's Digital Crimes Unit, says while it's possible for the botnet operators to retrench at some point, the actions by law enforcement and Microsoft should serve as a healthy deterrent.

"It is unclear the lasting impact of any takedown. However, Microsoft's track record in this space has been quite good both in terms of immediate dilution of the threat and long-term ability to keep the threat and their actors at bay," Williams says. "The combination of technical measures to disrupt the communication channels used for control of the botnet alongside legal measures to take control of domains and to seize hardware for forensic examination and the investigation regarding the actors responsible is a strong combination. Adding to this, many of the actions taken to date have created new precedents which can be leveraged in future actions both by Microsoft and other Internet defenders."

Victims whose machines were infected by the botnet malware will be redirected to a Web page set up by Microsoft and Symantec that directs them on how to disinfect their machines. "As in past botnet actions, Microsoft is also using the intelligence gathered in this operation to work with Internet service providers and Computer Emergency Response Teams to help victims regain control of their computers," said Richard Domigues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit, in a blog post announcing the takedown.

Boscovich said that not only did Bamital defraud online advertising, but it also redirected victims to shady websites that contained spyware and other malware that could be used for identity theft and other nefarious activity. "For example, in one instance, Microsoft investigators found that Bamital rerouted a search for 'Nickelodeon' to a website that distributed malware, including spyware that is designed to track the activities of the computer owner," Boscovich said. "Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware."

Bamital, which has been around since at least late 2009, hijacks search engine results and redirects victims to the bad guys' C&C server, which then sends the victim poisoned search results of its own. Users mainly have been infected by the botnet via drive-by downloads and malicious files, according to Symantec.

During one six-week period in 2011, Symantec saw more than 1.8 million unique IP addresses talking to one Bamital C&C server, with an average of 3 million hijacked clicks daily.

[Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage.]

Bamital is just one of many click fraud-type operations, however. "There are a number of botnets involved in click-fraud and DNS manipulation," SecureWorks' Williams says. The U.S. Department of Justice and FBI's operation to shut down Coreflood is one example of a DNS-changing malware attack that was disrupted, he says

Williams estimates that the Bamital operators have likely made millions of dollars off of their scheme. "Money which can be reinvested in additional infrastructure, purchase of exploits, or other underground services and research and development of future threats," he says.

Either way, the takedown effort by Microsoft and Symantec has injured the Bamital operators.

"This takedown will help in the short term ... by disrupting the activities of the parties responsible and preventing them from deriving revenue from the infected computers. In the longer term, the forensic discovery, the attribution of parties involved, and any subsequent law enforcement action can create a chilling effect against potential bad actors going forward, and the legal precedents created can help Microsoft and others to conduct additional operations aimed at disruption of malware operations," SecureWorks' Williams says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights