The Bamital Botnet Bust Takes an Interesting Turn

Amy Larsen DeCarlo
Amy Larsen DeCarlo

Summary Bullets:

  • Microsoft and Symantec disclosed that they have successfully (they believe) shut down the Bamital botnet, which was netting at least $1 million a year for the perpetrators.
  • The companies went beyond the usual legal and technical responses, employing the botnet’s own mechanisms to inform targeted users that their systems had been infected to carry out so-called ‘click fraud.’

Where there is a will, there always seems to be a way when it comes to hackers using new techniques and variations on old methods to breach systems for their own gain.  This is what makes the IT security discipline as relentlessly frustrating as it is endlessly challenging.  No matter how innovative IT security technologies become and practices evolve, determined cybercriminals seem to be finding new ways to penetrate even the best enterprise defenses. 

That is why it is especially satisfying to hear about a successful takedown of a criminal network.  You could practically hear cheers from the sidelines when Symantec and Microsoft disclosed details earlier this month regarding how the two companies brought down a botnet used to hijack targeted machines’ browsers to perpetrate a click fraud scheme in which ad click results are artificially inflated.

This is not to say that crackdowns on botnets are that unusual: Microsoft has taken out at least five other botnets in the last three years, including larger operations such as Rustock.  What makes the Bamital botnet bust so different is that Symantec and Microsoft used the botnet’s own communications network to inform victims.  Up to 2 million users’ devices had been targeted for hijacking to click on ad results on search pages, for which the botnet operators then pocketed the fees.  Microsoft and Symantec successfully petitioned the U.S. Federal Court system to gain access to the Bamital infrastructure in order to provide information to targeted users on how to remove the malware that was manipulating their browsers.

Looping in the targeted users, whose machines filled in the botnet’s infrastructure, is key.  Informing users of infected machines is more than a courtesy; it had added value because the malware was not only co-opting the search process and making the end users’ machine a player in fraud, but also potentially exposing the device to even more malware.  Were you informed by Microsoft or Symantec that you were affected by the Bamital botnet?  Did you appreciate the companies’ advice on how to remove the malware?

This may or may not be a harbinger of botnet takedowns to come.  The fact that the malware used the browser in its exploits made it easier for the companies to track down and communicate with the users.  What it does do is put a nice finish on a thorough takedown, giving the targeted users an opportunity to make their systems whole again.  However, as impressive as Microsoft and Symantec’s results were, they do not entirely close the loop on the Bamital botnet.  As of this writing, no arrests had yet been made in association with the Bamital botnet.  Does Microsoft and Symantec’s action give you more confidence, or does it leave you wondering how many undiscovered botnets are in operation now?  What more do you think providers can and should do?

What do you think?

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.