Bamital botnet take-down scores a first as Microsoft notifies infected victims
Shuttles bogus search result clicks to a special page that sports explanation and links to clean-up tools
Computerworld - For the first time, a major botnet take-down has included direct victim notification that warns users their PCs are infected and shows them how to scrub clean their machines.
Yesterday's take-down of the Bamital botnet by Microsoft and Symantec wasn't news. Microsoft has shut down six, including Bamital, in the last three years, including several very large networks of compromised computers such as Waledac in 2010, and Rustock in 2011. And it's worked with Symantec on a botnet-destroy mission before.
Instead, Microsoft and Symantec co-opted Bamital's communication mechanism to add a new twist to the take-down: Each victim is warned when they click on a bogus search result generated by the malware.
"We decided to push the envelope," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "Some degree of notification is almost always possible, but this time we had a technical advantage because the browser was being used by the malware."
That advantage, explained Thakur, was in how the malware redirected victims' search requests. After clicking on legitimate search results in Microsoft's Bing search engine, as well as those operated by Google and Yahoo, users were shunted to Bamital's C&C servers, where browsers were then sent toward bogus results.
The ploy, called "search hijacking," provided Bamital's operators with millions in revenue from so-called "click fraud" schemes, where miscreants artificially pump up the clicks on an online advertising network, earning money for their illicit efforts.
With control of the botnet's C&C servers -- a federal court order allowed Microsoft to seize those systems -- that once-shunted traffic has been intercepted by Microsoft, then sent to a special Web page created by it and Symantec. The page tells users that their Windows PC is probably infected with Bamital, and provides links they can copy and paste into their browser to a pair of clean-up tools from Microsoft and Symantec.
"Victims will notice a problem with their search experience now that the botnet has been taken down," explained Richard Boscovich, assistant general counsel in Microsoft's digital crimes unit, in an email reply to questions. "Because the take-down of this botnet severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will become visibly aware that their search function is broken as their search queries will time out. In order for the victims' search experiences to work properly again, they will need to clean their computers from the Bamital malware."
- Step Out of the Bull's-Eye Learn about the evolution of targeted attacks, the latest in security intelligence, and strategic steps to keep your business safe.
- Using Cyber Insurance and Cybercrime Data to Limit Your Business Risk This paper examines the challenges of understanding cyber risks, the importance of having the right cyber risk intelligence, and how to use this...
- 5 Tips to Secure Small Business Backdoors in the Enterprise Supply Chain This paper examines the insecurity of the small businesses in the supply chain and offers tips to close those backdoors into the enterprise.
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Live Webcast Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Security Vulnerabilities Associated With Having Local Administrator Privileges Viewfinity will demonstrate how removing admin rights and granularly managing privileges at the application level reduces the attack surface.
- Keep Servers Up and Running and Attackers in the Dark An SSL/TLS handshake requires at least 10 times more processing power on a server than on the client. SSL renegotiation attacks can readily... All Cybercrime and Hacking White Papers | Webcasts