February 07, 2013, 8:46 PM — For the first time, a major botnet take-down has included direct victim notification that warns users their PCs are infected and shows them how to scrub clean their machines.
Yesterday's take-down of the Bamital botnet by Microsoft and Symantec wasn't news. Microsoft has shut down six, including Bamital, in the last three years, including several very large networks of compromised computers such as Waledac in 2010, and Rustock in 2011. And it's worked with Symantec on a botnet-destroy mission before.
Instead, Microsoft and Symantec co-opted Bamital's communication mechanism to add a new twist to the take-down: Each victim is warned when they click on a bogus search result generated by the malware.
"We decided to push the envelope," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "Some degree of notification is almost always possible, but this time we had a technical advantage because the browser was being used by the malware."
That advantage, explained Thakur, was in how the malware redirected victims' search requests. After clicking on legitimate search results in Microsoft's Bing search engine, as well as those operated by Google and Yahoo, users were shunted to Bamital's C&C servers, where browsers were then sent toward bogus results.
The ploy, called "search hijacking," provided Bamital's operators with millions in revenue from so-called "click fraud" schemes, where miscreants artificially pump up the clicks on an online advertising network, earning money for their illicit efforts.
With control of the botnet's C&C servers -- a federal court order allowed Microsoft to seize those systems -- that once-shunted traffic has been intercepted by Microsoft, then sent to a special Web page created by it and Symantec. The page tells users that their Windows PC is probably infected with Bamital, and provides links they can copy and paste into their browser to a pair of clean-up tools from Microsoft and Symantec.