Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Microsoft, Symantec Blast Bamital Botnet in Takedown Operation

Microsoft and Symantec teamed up to takedown a notorious botnet tied to click fraud activity on the Web.

Microsoft and Symantec teamed up to takedown a notorious botnet tied to click fraud activity on the Web.

Working together, the companies targeted the Bamital botnet, which hijacked people’s search results and took them to malicious websites that served malware that would either steal their personal information, or fraudulently charge businesses for online advertisement clicks.

“Microsoft and Symantec’s research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google,” blogged Richard Domigues Boscovich, assistant general counsel with Microsoft Digital Crimes Unit. “Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone.”

Both companies are proactively informing people if their computers are infected Bamital through an official webpage that offers victims an easy-to-use method to remove the infection, Boscovich added.

According to Symantec, Bamital’s origin goes back to late 2009 and has evolved in multiple ways during the past couple of years.

“Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks,” according to Symantec’s Security Response team. “From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.”

The takedown, known as Operation b58, is the sixth anti-botnet operation by Microsoft in the past three years. On Jan. 31, Microsoft filed a lawsuit supported by a declaration from Symantec against the botnet’s operators in order to “sever all the communication lines between the botnet and the malware-infected computers under its control,” blogged Boscovich.

The court granted Microsoft’s request and on Feb. 6, Microsoft – escorted by the U.S. Marshals Service – seized valuable data and evidence on the botnet from web-hosting facilities in Virginia and New Jersey.

“We’ve found that cleanup efforts like this not only help clean people’s computers, but they also take the very infrastructure the botnet needs to be impactful and profitable away from the cybercriminals,” Boscovich added. 

“This case and operation are ongoing, and we’ll continue to provide updates as they become available,” he wrote. 

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.