The Bamital botnet, assembled by an organized group of fraudsters to commit click fraud, infected hundreds of thousands of computers but has recently been shut down as authorities have seized servers and pulled others offline following a collaborative investigation by Microsoft and Symantec.
A complaint filed in federal court listed 18 ringleaders for the Bamital operation spread across Eastern Europe, Britain, the United States and Australia. Computers infected with the Bamital malware would have their search results from Google, Yahoo and Bing redirected to display results that would earn the fraudsters revenues per click. The botnet was also used to force infected computers into generating large amounts of automated clicks without the computer user’s knowledge. It is estimated that the malware infected between 300,000 and 600,000 personal computers and that this organized botnet and click fraud operation brought in at least $1 million per year in profit to the ringleaders.
The takedown of this Bamital botnet has some similarities to the DNSChanger malware where many infected computers lost internet access once the servers were taken down in July 2012. In the earlier case infected computers were redirected to servers ultimately seized by the FBI. As an interim solution the FBI ran two servers just to handle web requests coming from infected machines while providing information and solutions for infected web users to correct the issue before shutting down the temporary servers. Similarly, by shutting down the servers where Bamital infected computers were redirected cuts off web access for those machines, but Microsoft and Symantec are offering free tools to remove the malware and restore access to the net. When infected machines access the web they will see a warning that they are likely infected until the malware is removed. Shutting down the Bamital botnet marks the sixth time Microsoft has obtained a court order to dismantle or disrupt a botnet since 2010.
For more information: