Microsoft and Symantec have combined forces to bring down the Bamital botnet that had control of over 1.8 million unique IP addresses.
The botnet was used to hijack search results and redirect victims to potentially dangerous websites that could install malware, steal personal information, or fraudulently charge businesses for online advertisement clicks, Microsoft said,
The company estimated more than eight million computers were compromised over the past two years, along with major online search and advertising platforms.
The two companies estimated that Bamital generated at least $1 million a year in profits for its owners and 18 John Doe ringleaders have been identified, located in Australia, the US, Britain, Russia and Romania.
"Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing," Symantec said.
“Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.”
Microsoft Digital Crimes Unit assistant general counsel Richard Domigues Boscovich said the botnet was the sixth the group has dismantled.
“This takedown, known as Operation b58, is the sixth botnet disruption operation in three years by Microsoft as part of our project Mars – Microsoft Active Response for Security – program and the second done in cooperation with Symantec.”
He said that a lawsuit was filed on 31st January against the botnet's operators in order to sever all the communication lines between the botnet and the malware-infected computers under its control.
This was granted on 6th February, and Microsoft – escorted by the US Marshals Service – successfully seized valuable data and evidence from the botnet from web-hosting facilities in Virginia and New Jersey.
“Taking down the Bamital botnet is the first step in protecting people. It's important to note that while the cyber criminals in this case used the Bamital malware to break victims' search experience, it was done in such a sneaky way that most victims wouldn't have even noticed a problem while the botnet was still operating,” he said.
“However, because the takedown severed the cyber criminals' ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out. As such, Microsoft and Symantec have taken proactive action to notify victims.”