Microsoft, Symantec take down Bamital click-fraud botnet

The botnet infected as many as 8 million computers over the past two years, the companies said

Microsoft and Symantec have dismantled a botnet that took over millions of computers for criminal activities such as identity theft and click fraud.

The Bamital botnet threatened the US$12.7 billion online advertising industry by generating fraudulent clicks on Internet ads, which fund many of the free online services available to consumers, the companies said.

As many as 8 million computers were infected with Bamital over the past two years, wrote Richard Domingues Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, in a blog post Wednesday.

It's the sixth botnet Microsoft has shut down in the past three years, and the second done in cooperation with Symantec, Boscovich wrote.

"Most if not all owners of Bamital-infected computers are unaware that their machines are infected," Microsoft said in a civil suit filed Jan. 31 in U.S. District Court for the Eastern District of Virginia.

The suit asked the court for permission to disrupt the botnet's command-and-control system. U.S. Marshals escorted investigators into Web-hosting facilities in Virginia and New Jersey, where they seized evidence and data, Boscovich wrote.

As in previous botnet-related lawsuits, Microsoft named 18 "John Doe" defendants, several of whom are listed as living in Russia, the U.S. and the U.K. The lawsuit will be amended when the defendants' real names are discovered.

The Bamital code caused users to be shuffled to malicious websites even if they clicked on legitimate search results returned by Microsoft's Bing search engine, as well as those of Yahoo and Google, according to the lawsuit.

By generating unintended clicks and visits, the botnet distorted the online advertising environment by making advertisers pay for clicks that were not genuine, the lawsuit says.

"Simply put, the ad owner paid for internet traffic that is of no use," it states.

Bamital could also steal personal information from computers and conduct distributed denial-of-service attacks, which disrupt websites by bombarding them with too much traffic.

An effort to clean up the infected computers is under way. When people with infected computers complete a search query, they're directed to a Web page from Microsoft and Symantec that explains how to remove the malicious software.

"We've found that cleanup efforts like this not only help clean people's computers, but they also take the very infrastructure the botnet needs to be impactful and profitable away from the cybercriminals," Boscovich wrote.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags symantecMicrosoftsecurityExploits / vulnerabilitiesmalware

More about GoogleMicrosoftSymantecYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place