Microsoft and Symantec teamed to shut down Bamital, a massive click fraud botnet that has been around for four years amassing big profits for the attackers.
The botnet thrived on hijacking clicks on targeted search engine results pages, Symantec said. Clicks on ads and malicious links ended up redirected to the attacker’s server, which correlates the search phrase and where the click came from to redirect the victim.
“As an example, if the end user searched for antivirus and the search engine intended to send the user to a page owned by Symantec, the attacker-controlled server would use this information in its decision logic to redirect the user’s compromised computer to a third-party website that uses the Symantec brand name and peddles fake antivirus programs,” said Symantec’s Piotr Krysiuk and Vikram Thakur in a white paper. “By doing so, Bamital’s operators assume the role of ad-networks and get paid by the advertisers.”
The botnet also generates clicks by pretending to be a search engine; users’ browser sessions end up hijacked and redirected to a set of attacker-owned results. The malware will then click on the search results in a self-initiated browser session.
“While the Bamital botnet defrauded the entire online advertising platform, which is what allows the Internet and many online services to be free, what’s most concerning is that these cybercriminals made people go to sites that they never intended to go and took control of the computer away from its owner,” said Microsoft Digital Crimes Unit assistant general counsel Richard Boscovich. “Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections.”
Microsoft said this is the sixth botnet takedown it has been involved in during the past three years, and the second with Symantec. Boscovich said Microsoft filed a lawsuit on Jan. 31 against the botnet operators that would allow it to cut off communication between the botnet and compromised computers. On Feb. 6, following a court order, Microsoft and the U.S. Marshals Service seized data and evidence from Web hosts in Virginia and New Jersey.
Microsoft said that search functionality on infected computers will end up broken; the two companies said they have begun informing victims; search queries will go to an official Microsoft and Symantec webpage explaining the situation and how to remove the malware, in conjunction with ISPs and CERT teams.
Symantec said Bamital activity peaked in late 2011 and 2012. Users suffered infection either via drive-by download attacks, or malicious applications downloaded from peer to peer networks.
Symantec said there are three modules present in Bamital infections; one is the framework for the two other components, as well as receiving updates from command and control servers to located updated versions of the remaining modules. Another module monitors and hijacks search engine results performed on Google, Yahoo and Bing. Clicks on results end up hijacked by this module and redirected to an attack site, which then results in a page of the attacker’s choosing, Symantec said.