Bamital botnet take-down scores a first as Microsoft notifies infected victims

Shuttles bogus search result clicks to a special page that sports explanation and links to clean-up tools

1 2 Page 2
Page 2 of 2

Only the traffic that was being illegally redirected by Bamital is being captured by Microsoft, and sent to the warning/clean-up page, said Thakur. "We don't see any but that, and we don't want to," he said.

Microsoft asked for, and received, court approval to reach out directly to victims in this take-down.

Boscovich said that the direct notification was "a unique instance in light of the type of malware," but he left the door open to repeating the tactic in the future.

"We may look into using this type of remediation in the future, but every botnet operation is unique and any approach we take would depend on the circumstances," Boscovich wrote. "That said, if the specific botnet requires immediate notification due to unique malware attributes, such as a functionality being compromised or a major security issue, we would explore asking the court for similar action again."

Past botnet take-downs have usually included a notification and/or remediation component, but until Bamital, that was left to Internet service providers (ISPs) or countries' computer emergency response teams (CERTs), such as the United States' US-CERT.

The complexity of coordinating with scores of ISPs and CERTS has often made the last piece in the puzzle -- getting users to clean their PCs -- difficult and ineffective.

The DNSChanger take-down, conducted in late 2011 by the U.S. Department of Justice, seized control of hackers' C&C servers and replaced them with government-controlled machines to keep victims online. But more than eight months later, an estimated 250,000 to 300,000 users had yet to wash away the malware.

Thakur was confident that the Bamital notification would result in a dramatic decrease in the number of infected PCs. "Within six months, certainly in less than a year, I'd expect that 80% or 90% of the [infected] PCs would be cleaned," he said.

"We've drawn the line on code," said Thakur, referring to modifying the malware to render it impotent, or remotely cleaning victims' PCs without their knowledge. "But without crossing that line, we'll do whatever we can."

Symantec has published more information about Bamital in a research paper that can be downloaded free of charge from its website.

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at  @gkeizer, on Google+ or subscribe to Gregg's RSS feed . His email address is

See more by Gregg Keizer on

Copyright © 2013 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon