"Victims will notice a problem with their search experience now that the botnet has been taken down," explained Richard Boscovich, assistant general counsel in Microsoft's digital crimes unit, in an email reply to questions. "Because the take-down of this botnet severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will become visibly aware that their search function is broken as their search queries will time out. In order for the victims' search experiences to work properly again, they will need to clean their computers from the Bamital malware."
Users whose PCs are infected with Bamital are now being redirected to this page, which explains why they're there and how they can clean their systems of the malware. (Image: Microsoft, Symantec.)
Only the traffic that was being illegally redirected by Bamital is being captured by Microsoft, and sent to the warning/clean-up page, said Thakur. "We don't see any but that, and we don't want to," he said.
Microsoft asked for, and received, court approval to reach out directly to victims in this take-down.
Boscovich said that the direct notification was "a unique instance in light of the type of malware," but he left the door open to repeating the tactic in the future.
"We may look into using this type of remediation in the future, but every botnet operation is unique and any approach we take would depend on the circumstances," Boscovich wrote. "That said, if the specific botnet requires immediate notification due to unique malware attributes, such as a functionality being compromised or a major security issue, we would explore asking the court for similar action again."
Past botnet take-downs have usually included a notification and/or remediation component, but until Bamital, that was left to Internet service providers (ISPs) or countries' computer emergency response teams (CERTs), such as the United States' US-CERT.
The complexity of coordinating with scores of ISPs and CERTS has often made the last piece in the puzzle -- getting users to clean their PCs -- difficult and ineffective.
The DNSChanger take-down, conducted in late 2011 by the U.S. Department of Justice, seized control of hackers' C&C servers and replaced them with government-controlled machines to keep victims online. But more than eight months later, an estimated 250,000 to 300,000 users had yet to wash away the malware.