Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:00 PM
Connect Directly

Microsoft, Symantec Team, Topple Bamital Botnet

More than 8 million users were infected by the now-crippled click-fraud botnet over the past two years -- but can the botnet make a comeback?

Microsoft has flexed its legal muscle again to disrupt yet another botnet: this time, the click-fraud Bamital botnet, the sixth such botnet-takedown operation launched by the software giant in three years.

In a Jan. 31 lawsuit filed with the U.S. District Court for the Eastern District of Virginia, Microsoft took action against 18 "John Does" for their alleged role in the botnet operation and ensuing advertising fraud scheme that has infected "multiple thousands" of users to unknowingly do their bidding to redirect online ad revenues to the criminals behind it. Microsoft requested -- and was granted by the court -- permission to shut down communications between the botnet's command-and-control (C&C) servers and the infected bots.

More than 8 million computers have been infected with Bamital over the past two years, according to Microsoft and Symantec, which assisted Microsoft in the operation to derail the botnet. Yesterday, Microsoft and U.S. Marshals seized data and other evidence on the botnet from Web hosting provider sites in Virginia and New Jersey as part of the so-called "Operation b58" effort.

But as with any botnet, the effects of a disruption operation may only be temporary. Gunter Ollmann, CTO of IOActive, says the catch is the botnet's use of the Domain Generation Algorithm (DGA), an obfuscation method employed by some botnets. DGA lets botnet operators hide their C&C servers by using an algorithm to reach out dynamically to multiple servers rather than static servers that could more easily be spotted.

Ollmann says DGA is designed to overcome a takedown. The best hope for eradicating Bamital is any valuable forensics information from the servers that points to the bad guys, he says.

Jeff Williams, director of security strategy for the Counter Threat Unit at Dell SecureWorks and formerly with Microsoft's Digital Crimes Unit, says while it's possible for the botnet operators to retrench at some point, the actions by law enforcement and Microsoft should serve as a healthy deterrent.

"It is unclear the lasting impact of any takedown. However, Microsoft's track record in this space has been quite good both in terms of immediate dilution of the threat and long-term ability to keep the threat and their actors at bay," Williams says. "The combination of technical measures to disrupt the communication channels used for control of the botnet alongside legal measures to take control of domains and to seize hardware for forensic examination and the investigation regarding the actors responsible is a strong combination. Adding to this, many of the actions taken to date have created new precedents which can be leveraged in future actions both by Microsoft and other Internet defenders."

Victims whose machines were infected by the botnet malware will be redirected to a Web page set up by Microsoft and Symantec that directs them on how to disinfect their machines. "As in past botnet actions, Microsoft is also using the intelligence gathered in this operation to work with Internet service providers and Computer Emergency Response Teams to help victims regain control of their computers," said Richard Domigues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit, in a blog post announcing the takedown.

Boscovich said that not only did Bamital defraud online advertising, but it also redirected victims to shady websites that contained spyware and other malware that could be used for identity theft and other nefarious activity. "For example, in one instance, Microsoft investigators found that Bamital rerouted a search for 'Nickelodeon' to a website that distributed malware, including spyware that is designed to track the activities of the computer owner," Boscovich said. "Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware."

Bamital, which has been around since at least late 2009, hijacks search engine results and redirects victims to the bad guys' C&C server, which then sends the victim poisoned search results of its own. Users mainly have been infected by the botnet via drive-by downloads and malicious files, according to Symantec.

During one six-week period in 2011, Symantec saw more than 1.8 million unique IP addresses talking to one Bamital C&C server, with an average of 3 million hijacked clicks daily.

[Microsoft Zeus botnet case demonstrates risks, challenges associated with takedowns when multiple groups are tracking the same botnet. See Botnet Takedowns Can Incur Collateral Damage.]

Bamital is just one of many click fraud-type operations, however. "There are a number of botnets involved in click-fraud and DNS manipulation," SecureWorks' Williams says. The U.S. Department of Justice and FBI's operation to shut down Coreflood is one example of a DNS-changing malware attack that was disrupted, he says

Williams estimates that the Bamital operators have likely made millions of dollars off of their scheme. "Money which can be reinvested in additional infrastructure, purchase of exploits, or other underground services and research and development of future threats," he says.

Either way, the takedown effort by Microsoft and Symantec has injured the Bamital operators.

"This takedown will help in the short term ... by disrupting the activities of the parties responsible and preventing them from deriving revenue from the infected computers. In the longer term, the forensic discovery, the attribution of parties involved, and any subsequent law enforcement action can create a chilling effect against potential bad actors going forward, and the legal precedents created can help Microsoft and others to conduct additional operations aimed at disruption of malware operations," SecureWorks' Williams says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...