Microsoft and Symantec teamed up to takedown a notorious botnet tied to click fraud activity on the Web.
Working together, the companies targeted the Bamital botnet, which hijacked people’s search results and took them to malicious websites that served malware that would either steal their personal information, or fraudulently charge businesses for online advertisement clicks.
“Microsoft and Symantec’s research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google,” blogged Richard Domigues Boscovich, assistant general counsel with Microsoft Digital Crimes Unit. “Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone.”
Both companies are proactively informing people if their computers are infected Bamital through an official webpage that offers victims an easy-to-use method to remove the infection, Boscovich added.
According to Symantec, Bamital’s origin goes back to late 2009 and has evolved in multiple ways during the past couple of years.
“Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks,” according to Symantec’s Security Response team. “From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.”
The takedown, known as Operation b58, is the sixth anti-botnet operation by Microsoft in the past three years. On Jan. 31, Microsoft filed a lawsuit supported by a declaration from Symantec against the botnet’s operators in order to “sever all the communication lines between the botnet and the malware-infected computers under its control,” blogged Boscovich.
The court granted Microsoft’s request and on Feb. 6, Microsoft – escorted by the U.S. Marshals Service – seized valuable data and evidence on the botnet from web-hosting facilities in Virginia and New Jersey.
“We’ve found that cleanup efforts like this not only help clean people’s computers, but they also take the very infrastructure the botnet needs to be impactful and profitable away from the cybercriminals,” Boscovich added.
“This case and operation are ongoing, and we’ll continue to provide updates as they become available,” he wrote.