Bamital Botnet Shut Down by Microsoft and Symantec
Bamital botnet put 8 million PCs at risk from malicious search redirect – but was there any other malware risk?
The battle against malware often takes on multiple forms, including both technology and legal avenues. This week Microsoft and Symantec took the legal route, helping shut down the nefarious Bamital botnet that has already infected some eight million PCs.
The legal action involved a lawsuitfiled by Microsoft against 18 defendants indentified as "John Does 1-18, controlling a computer botnet thereby injuring Microsoft and its customers."
The John Does are further identified by Microsoft as being physically located in the Russian Federation, South Korea, the United Kingdom, Romania, Australia, the Czech Republic and the United States.
On Feb. 6, U.S. Marshals joined by Microsoft entered data centers in Virginia and New Jersey to shut down the botnet and seize evidence.
"Our research shows that the Bamital botnet was active worldwide, although the majority of activity affected the United States and Europe," said Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit.
The Bamital botnet is centered around malware that redirects user searches. Users searching for a given query would be sent to a site that delivers malware. Boscovich told eSecurity Planet that the Bamital malware itself did not directly drop any kind of trojan or information-stealing malware on user PCs.
"However, because the criminals behind Bamital were hijacking people’s search results and secretly taking them to places online they never intended to go, people whose computers are infected with Bamital are more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections," Boscovich said. "This means that computers that are infected with Bamital could also be infected with other malware."
In one test case, Boscovich noted that researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site.
"Furthermore, in another instance, a search for Viagra redirected our investigators to the website of another company selling Viagra," Boscovich said. "Based on Microsoft’s case involving the takedown of the Rustock botnet, it is known that online vendors often sell counterfeit or entirely fake pharmaceuticals, which poses a danger to public health."
While Microsoft has now taken legal efforts to shut down Bamital, it is not a new or previously unknown threat in the malware world.
Zulfikar Ramzan, chief scientist with Sourcefire's cloud technology group, told eSecurity Planet that Bamital is a long-standing malware family. Sourcefire, lead sponsor behind the open source ClamAV anti-virus engine and the open source SNORT Intrusion Prevention System, has had capabilities to detect it for some time.
His company has used generic machine learning-based approaches to identify variations on Bamital and other malware instances that are part of the Bamital family, as well as specific signatures, Ramzan added.
"We have noticed a recent uptick among our users of Bamital detections that rely on these more generic machine learning techniques, which suggest that malware authors have been rapidly iterating upon it to create a larger-scale botnet," Ramzan said.
From Microsoft's perspective, the risk of Bamital infection could be mitigated by good PC hygiene. Boscovich said that a person who uses up-to-date legitimate software, including anti-virus and anti-malware programs, and applies Microsoft’s monthly security updates is less likely to be infected by Bamital on their computers.
"Of note, Microsoft found that the majority of Bamital infections affected Windows XP users who do not exercise safe practices, such as using protections like a firewall and anti-virus/anti-malware programs and applying Microsoft’s monthly security updates," Boscovich said. "A smaller set of infections were also detected on Windows 7 platforms."
At the core, Bamital is a browser hijack that directly affects Web browser technologies.
"While the botnet’s takedown removed the cybercriminals' ability to hijack users’ browsing sessions, there is a high probability that many end users were unaware the problem existed while the botnet was still functioning," Mark Elliott, EVP of products at Quarri Technologies, told eSecurity Planet. "The availability of free tools and tips to assist users in un-installing the botnet is a positive development, but many still don't know that they have Bamital installed on their computer. "
Quarri develops a hardened browser technology that that aims to protect browsers.
Microsoft and Symantec are taking a number of steps to alert infected users. Searches from infected PCs will now be redirected to a page that informs users of what they should do to remove the malware. Even with those resources, there is still the larger issue of taking additional precautions for browser security.
"This again accentuates the issue of Web browser security and the dangers end users face if they don't take the proper security measures," Elliot said. "It also demonstrates the critical need for organizations to provide and enforce the use of a secure, hardened browser session to protect their Web applications from malware."