Bamital botnet take-down scores a first as Microsoft notifies infected victims
Shuttles bogus search result clicks to a special page that sports explanation and links to clean-up tools
For the first time, a major botnet take-down has included direct victim notification that warns users their PCs are infected and shows them how to scrub clean their machines.
Yesterday's take-down of the Bamital botnet by Microsoft and Symantec wasn't news. Microsoft has shut down six, including Bamital, in the last three years, including several very large networks of compromised computers such as Waledac in 2010, and Rustock in 2011. And it's worked with Symantec on a botnet-destroy mission before.
Instead, Microsoft and Symantec co-opted Bamital's communication mechanism to add a new twist to the take-down: Each victim is warned when they click on a bogus search result generated by the malware.
"We decided to push the envelope," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "Some degree of notification is almost always possible, but this time we had a technical advantage because the browser was being used by the malware."
That advantage, explained Thakur, was in how the malware redirected victims' search requests. After clicking on legitimate search results in Microsoft's Bing search engine, as well as those operated by Google and Yahoo, users were shunted to Bamital's C&C servers, where browsers were then sent toward bogus results.
The ploy, called "search hijacking," provided Bamital's operators with millions in revenue from so-called "click fraud" schemes, where miscreants artificially pump up the clicks on an online advertising network, earning money for their illicit efforts.
With control of the botnet's C&C servers -- a federal court order allowed Microsoft to seize those systems -- that once-shunted traffic has been intercepted by Microsoft, then sent to a special Web page created by it and Symantec. The page tells users that their Windows PC is probably infected with Bamital, and provides links they can copy and paste into their browser to a pair of clean-up tools from Microsoft and Symantec.
"Victims will notice a problem with their search experience now that the botnet has been taken down," explained Richard Boscovich, assistant general counsel in Microsoft's digital crimes unit, in an email reply to questions. "Because the take-down of this botnet severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will become visibly aware that their search function is broken as their search queries will time out. In order for the victims' search experiences to work properly again, they will need to clean their computers from the Bamital malware."
Users whose PCs are infected with Bamital are now being redirected to this page, which explains why they're there and how they can clean their systems of the malware. (Image: Microsoft, Symantec.)
Only the traffic that was being illegally redirected by Bamital is being captured by Microsoft, and sent to the warning/clean-up page, said Thakur. "We don't see any but that, and we don't want to," he said.
Microsoft asked for, and received, court approval to reach out directly to victims in this take-down.
Boscovich said that the direct notification was "a unique instance in light of the type of malware," but he left the door open to repeating the tactic in the future.
"We may look into using this type of remediation in the future, but every botnet operation is unique and any approach we take would depend on the circumstances," Boscovich wrote. "That said, if the specific botnet requires immediate notification due to unique malware attributes, such as a functionality being compromised or a major security issue, we would explore asking the court for similar action again."
Past botnet take-downs have usually included a notification and/or remediation component, but until Bamital, that was left to Internet service providers (ISPs) or countries' computer emergency response teams (CERTs), such as the United States' US-CERT.
The complexity of coordinating with scores of ISPs and CERTS has often made the last piece in the puzzle -- getting users to clean their PCs -- difficult and ineffective.
The DNSChanger take-down, conducted in late 2011 by the U.S. Department of Justice, seized control of hackers' C&C servers and replaced them with government-controlled machines to keep victims online. But more than eight months later, an estimated 250,000 to 300,000 users had yet to wash away the malware.
Thakur was confident that the Bamital notification would result in a dramatic decrease in the number of infected PCs. "Within six months, certainly in less than a year, I'd expect that 80% or 90% of the [infected] PCs would be cleaned," he said.
"We've drawn the line on code," said Thakur, referring to modifying the malware to render it impotent, or remotely cleaning victims' PCs without their knowledge. "But without crossing that line, we'll do whatever we can."
Symantec has published more information about Bamital in a research paper that can be downloaded free of charge from its website.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about cybercrime and hacking in Computerworld's Cybercrime and Hacking Topic Center.