Bamital botnet take-down scores a first as Microsoft notifies infected victims

Shuttles bogus search result clicks to a special page that sports explanation and links to clean-up tools

For the first time, a major botnet take-down has included direct victim notification that warns users their PCs are infected and shows them how to scrub clean their machines.

Yesterday's take-down of the Bamital botnet by Microsoft and Symantec wasn't news. Microsoft has shut down six, including Bamital, in the last three years, including several very large networks of compromised computers such as Waledac in 2010, and Rustock in 2011. And it's worked with Symantec on a botnet-destroy mission before.

Instead, Microsoft and Symantec co-opted Bamital's communication mechanism to add a new twist to the take-down: Each victim is warned when they click on a bogus search result generated by the malware.

"We decided to push the envelope," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "Some degree of notification is almost always possible, but this time we had a technical advantage because the browser was being used by the malware."

That advantage, explained Thakur, was in how the malware redirected victims' search requests. After clicking on legitimate search results in Microsoft's Bing search engine, as well as those operated by Google and Yahoo, users were shunted to Bamital's C&C servers, where browsers were then sent toward bogus results.

The ploy, called "search hijacking," provided Bamital's operators with millions in revenue from so-called "click fraud" schemes, where miscreants artificially pump up the clicks on an online advertising network, earning money for their illicit efforts.

With control of the botnet's C&C servers -- a federal court order allowed Microsoft to seize those systems -- that once-shunted traffic has been intercepted by Microsoft, then sent to a special Web page created by it and Symantec. The page tells users that their Windows PC is probably infected with Bamital, and provides links they can copy and paste into their browser to a pair of clean-up tools from Microsoft and Symantec.

"Victims will notice a problem with their search experience now that the botnet has been taken down," explained Richard Boscovich, assistant general counsel in Microsoft's digital crimes unit, in an email reply to questions. "Because the take-down of this botnet severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will become visibly aware that their search function is broken as their search queries will time out. In order for the victims' search experiences to work properly again, they will need to clean their computers from the Bamital malware."

Users whose PCs are infected with Bamital are now being redirected to this page, which explains why they're there and how they can clean their systems of the malware. (Image: Microsoft, Symantec.)

Only the traffic that was being illegally redirected by Bamital is being captured by Microsoft, and sent to the warning/clean-up page, said Thakur. "We don't see any but that, and we don't want to," he said.

Microsoft asked for, and received, court approval to reach out directly to victims in this take-down.

Boscovich said that the direct notification was "a unique instance in light of the type of malware," but he left the door open to repeating the tactic in the future.

"We may look into using this type of remediation in the future, but every botnet operation is unique and any approach we take would depend on the circumstances," Boscovich wrote. "That said, if the specific botnet requires immediate notification due to unique malware attributes, such as a functionality being compromised or a major security issue, we would explore asking the court for similar action again."

Past botnet take-downs have usually included a notification and/or remediation component, but until Bamital, that was left to Internet service providers (ISPs) or countries' computer emergency response teams (CERTs), such as the United States' US-CERT.

The complexity of coordinating with scores of ISPs and CERTS has often made the last piece in the puzzle -- getting users to clean their PCs -- difficult and ineffective.

The DNSChanger take-down, conducted in late 2011 by the U.S. Department of Justice, seized control of hackers' C&C servers and replaced them with government-controlled machines to keep victims online. But more than eight months later, an estimated 250,000 to 300,000 users had yet to wash away the malware.

Thakur was confident that the Bamital notification would result in a dramatic decrease in the number of infected PCs. "Within six months, certainly in less than a year, I'd expect that 80% or 90% of the [infected] PCs would be cleaned," he said.

"We've drawn the line on code," said Thakur, referring to modifying the malware to render it impotent, or remotely cleaning victims' PCs without their knowledge. "But without crossing that line, we'll do whatever we can."

Symantec has published more information about Bamital in a research paper that can be downloaded free of charge from its website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is

See more by Gregg Keizer on

Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags Cybercrime and HackingYahooantispamsymantecGoogleMicrosoftsecuritybingMalware and Vulnerabilities

More about AppleCERT AustraliaDepartment of JusticeGoogleMicrosoftSymantecTopicYahoo

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place