Microsoft and Symantec bring down search engine hijacking botnet

News by Dan Raywood

Microsoft and Symantec have combined forces to bring down the Bamital botnet that had control of over 1.8 million unique IP addresses.

Microsoft and Symantec have combined forces to bring down the Bamital botnet that had control of over 1.8 million unique IP addresses.

According to Microsoft Trustworthy Computing, the botnet was used to hijack people's search results and take them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks.

It estimated that more than eight million computers were compromised by it over the past two years, and it exploited major online search and advertising platforms. The two companies estimated that Bamital generated at least $1 million a year in profits for its owners and 18 ‘John Doe' ringleaders have been identified, located in Russia, Romania, Britain, the United States and Australia.

Symantec said: “Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing.

“Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.”

Richard Domigues Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit, said that action was taken "to help protect people and advance cloud security for everyone".

He said: “This takedown, known as Operation b58, is the sixth botnet disruption operation in three years by Microsoft as part of our project Mars – Microsoft Active Response for Security – program and the second done in cooperation with Symantec.”

He said that a lawsuit was filed on 31st January against the botnet's operators in order to sever all the communication lines between the botnet and the malware-infected computers under its control. This was granted on 6th February, and Microsoft – escorted by the US Marshals Service – successfully seized valuable data and evidence from the botnet from web-hosting facilities in Virginia and New Jersey.

“Taking down the Bamital botnet is the first step in protecting people. It's important to note that while the cyber criminals in this case used the Bamital malware to break victims' search experience, it was done in such a sneaky way that most victims wouldn't have even noticed a problem while the botnet was still operating,” he said.

“However, because the takedown severed the cyber criminals' ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out. As such, Microsoft and Symantec have taken proactive action to notify victims.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews