A cooperative operation between Microsoft and Symantec had netted a massive botnet that targeted the whole online advertising platform. Both companies said that operators of the illegal network of computers has been making about $1 million every year by redirecting traffic to websites users don’t intend to go. Such scheme makes money for the botnet operators through online advertising networks. Called Bamital botnet, the network forces infected computers to visit websites that also offer malware, making the infected PCs even more vulnerable for more serious problems like identity theft and additional malware infections.
Microsoft and Symantec managed to shut down, for now, Bamital following a U.S. District Court’s order to take down two data centers that controls the botnet. Technicians from Microsoft and Symantec, together with government agents, spearheaded the operation to seize a server in Weehawken, New Jersey owned by ISPrime data center. Another data center, LeaseWeb, located in Manassas, Virginia decided to shut down their server after its company headquarters in the Netherlands directed it to. LeaseWeb is making a copy of the server so Microsoft and Symantec can check them. Symantec’s Principal Security Response Manager, Vikram Thakur, said, “These servers were command and control servers, and were also absorbing the malicious traffic the botnet was creating.”
Microsoft’s Digital Crimes Unit, together with its counterpart from Symantec, had been studying the botnet’s activities for two years. According to the research from the two companies, Bamital had attacked more than eight million PCs and its search hijacking scheme had affected many browsers like those provided for free by Google and Microsoft and search engines like Yahoo, Google, and Microsoft.
While the malware from the botnet had already been identified since 2011, pinpointing the exact servers that act as command and control centers took some to identify, said Richard Boscovich, a General Counsel of Microsoft. “The malware was morphing back and forth, so it made difficult to identify the targets,” Boscovich said. The two companies decided to take action a few months ago after noticing that the botnet had stabilized, offering a good chance of going after it. The legal aspect of the case took two months to be secured.
Research results from Symantec and Microsoft showed that there had been several generations of Bamital, even providing evidence that an activity had dated to at least 3 years back. Forensic evidence from the investigation showed that the early versions of Bamital that were used in attacks used HTML injection. “They injected an iframe into every page so whatever page loaded also loaded content from the bad guys,” said Thakur.
Bamital’s more advanced versions redirects a page, after a user clicks on a search page, to the botnet’s own servers, allowing HTML redirects so that the traffic from the victim goes to an advertising network. The said network would act as a clearinghouse for other advertisers, so a single click actually goes through a few sets of redirects before it pulls up a website, which is not the intended site of the user.
Due to the nature of the case, Microsoft took a step further from its usual handling of botnet takedowns by letting the victims of Bamital know of the infection. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” said Boscovich. Computers identified as having contacted the malware will be redirected to a Microsoft webpage so users can get help in removing the malware and any other malware that may have also infected the machines. “There are AV signatures out there for this malware already,” he added.
In later variants of Bamital, the malware simply redirected any click on a search page to the botnet’s own servers, which in turn used HTML redirects to feed the victims’ traffic into an advertising network. That network acted as a clearinghouse for other advertiser networks, so a click could go through several sets of redirects before it actually landed on a website—and not the one the user expected.
Because of the nature of Bamital, Microsoft is now in a position that’s different from some of its previous botnet takedowns—it has a direct line to victims of the malware. “One of things we’re doing a little differently in this case is we’re doing direct victim notification,” Boscovich said. Users with systems infected by Bamital will now be redirected to a Microsoft webpage offering tools to help remove the Bamital malware—as well as any other malware that’s out there. “There are AV signatures out there for this malware already,” Boscovich said.
Boscovich also said that machines running with outdated operating systems or antivirus software will get notifications from Microsoft when someone searches for something using their browsers.
The initial way of propagating Bamital was a mixed one, including spreading the malware through peer-to-peer filesharing networks hidden as a harmless file. However, most of the machines infected by Bamital malware were victims of “driveby downloads” after visiting booby-trapped websites that usually exploits flaws in browsers. “We have evidence of [the botnet operators] polluting search engine results for certain search terms with links to servers with exploits,” Thakur said.
As Bamital evolved over time, its operators tried to also “upgrade” the machines they had already infected. Thakur said the effort was not very successful because many of the computers were actually left behind. The older servers handling the earlier versions also seemed to have been abandoned.
Microsoft and Symantec finally had a break after they were able to detect and monitor the traffic being directed to one of the servers hosting the botnet. The researchers from the two companies discovered that there were about 3 million clicks that were being hijacked everyday, said Thakur. They were able to determine that the operators of the botnet were making about $1 million every year based on a conservative estimate of a payment for one-tenth of a percent of the entire advertising value of each click.
All the advertising networks linked to the Bamital botnet themselves may also be completely fraudulent. Acting as clearinghouses for the traffic, the advertising networks resold them to legitimate affiliate programs and advertising networks. Bamital has to go through several ad networks before a website is displayed, which is also not what the user wanted in the first place. “It was super convulated,” said Thakur.