Massive Bamital click-fraud botnet shut down

Symantec and Microsoft have teamed up to take down the Bamital botnet, and are currently in the process of warning users infected with the Trojan on how to remove it from their computers.

“Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers’ choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections,” Symantec explained in a blog post.

The Trojan and the botnet were first spotted back in 2009. From the very start, the Trojan was usually delivered to unsuspecting users via drive-by-downloads and maliciously modified files shared through peer-to-peer (P2P) networks.

“From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day,” they noted.

“Microsoft and Symantec’s research shows that in the last two years, more than eight million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google,” shared Richard Boscovich, Assistant General Counsel with the Microsoft Digital Crimes Unit.

Users searching for harmless terms such as “Nickelodeon” would be lead to websites distributing malware, those searching for Norton Internet Security were redirected to pages offering rogue AV, and so on.

“Microsoft and Symantec used a combined legal and technical action to take down Bamital,” says Boscovich. They filed a lawsuit against the botnet’s operators and were granted permission to seize C&C servers in Virginia and the Netherlands, and use them to redirect affected users to a Microsoft webpage that informs them about the infection and how to get rid of the Bamital Trojan and other malware (click on the screenshot to enlarge it):

“Click fraud is a lucrative business in the malware industry. Bamital is just one malware family engaged in this activity. The ability to blend fictitious client traffic within human-generated, legitimate traffic makes it extremely difficult for advertisement service providers to weed out such behavior completely,” Symantec researchers noted.

The identity of the botnet’s masters is still unknown, but judging by the (more than likely) fictitious names they used to register landing sites and domains, most of them are probably of Eastern European origin.

For more details about the malware itself and the whole operation, download the Symantec whitepaper here.