Digital Identity Blog

Thought leadership for cybersecurity, fraud and digital channel professionals

300,000 to 1 Million PC Slaves Freed When Microsoft and Symantec Take Down Botnet Servers

By ThreatMetrix
ThreatMetrix®, The Digital Identity Company®, is the market-leading cloud solution for authenticating digital personas and transactions on the Internet. Verifying more than 20 billion annual transactions supporting 30,000 websites and 4,000 customers globally through the ThreatMetrix Digital Identity Network®, ThreatMetrix secures businesses and end users against account takeover, payment fraud and fraudulent account registrations resulting from malware and data breaches.
Follow ThreatMetrix ThreatMetrix's Most Recent Posts:

Techs working on behalf of Microsoft and Symantec and U.S. marshals raided data centers in Weehawken, New Jersey and Manassas, Virginia, seizing one server in New Jersey and persuading the operators of the Virginia center to take down a server at the parent company in The Netherlands. Wonder if the term waterboard ever came up while the operators were being persuaded to take down their Netherlands’ server?

Anyway…Richard Boscovich, assistant general counsel with Microsoft’s Digital Crimes Unit, told Reuters he had “a high degree of confidence” that the raid had succeeded in bringing down what came to be known as the Bamital botnet.

The botnet, which conservatively pulled in at least $1 million a year in profit, was allegedly used in a number of illicit schemes. It redirected search results from Google, Yahoo and Bing search engines to sites where the botnet’s principals had financial relationships. Without PC users’ knowledge or consent, the botnet used its infected computers to generate large quantities of automated ad clicks for which the criminals were paid commissions. It installed other types of computer viruses that could engage in identity theft or recruit other PCs into networks to attack Websites.

Complaints were filed against eighteen people from Romania, Britain, Australia, the United States and Russia. A cookie on infected computers contained the Russian phrase, “”yatutuzebil,” which loosely translates in English as “I was here.”

Shutting down the servers that made Bamital run made it temporarily impossible for infected PCs to search the Web. Now, users who attempt searches receive this message: “You have reached this Website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.”

Microsoft and Symantec are offering them free tools to fix their PCs and restore access to web searches via messages automatically pushed out to victims.

Since 2010, this is the sixth time Microsoft has gotten a court order to disrupt a botnet. However, it’s the first time users owning infected PCs have received warnings and free tools to clean up their machines. Sure doesn’t sound like your father’s Microsoft, does it?

Symantec researcher Vikram Thakur, who noted that Bamital is just one of several major botnets in a complex underground “click fraud ecosystem” he believes generates tens of millions of dollars, said “[Bamital] is just the tip of the iceberg in the world of click fraud.”

By ThreatMetrix Posted