Microsoft and Symantec have brought down a global cybercrime operation, the Bamital botnet, but shutting down the servers at the heart of the botnet.
PCs infected by the malware that linked them to the botnet were temporarily unable to search the Web, and the software companies are pushing messages to them regarding their infection and how to clear it.
Richard Domigues Boscovich, assistant general counsel at the Microsoft Digital Crimes Unit, confirms that the operation took place yesterday.
“The Microsoft Digital Crimes Unit, in collaboration with Symantec, has taken down the dangerous Bamital botnet which hijacked people’s search results and took them to potentially dangerous Web sites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks,” he writes on the company blog.
“Microsoft and Symantec research shows that, in the last two years, more than 8-million computers have been attacked by Bamital, and that the botnet’s search hijacking and click fraud schemes affected many major search engines and browsers, including those offered by Microsoft, Yahoo and Google.
“Because this threat exploited the search and online advertising platform to harm innocent people, Microsoft and Symantec chose to take action against the Bamital botnet to help protect people and advance cloud security for everyone.”
Boscovich explains that the botnet made people go to sites that they never intended to go and took control of the computer away from its owner.
“Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections.
“For example, in one instance, Microsoft investigators found that Bamital rerouted a search for ‘Nickelodeon’ to a Web site that distributed malware, including spyware that is designed to track the activities of the computer owner.
“Meanwhile, in another case, our researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site that distributes malware.”
Yesterday’s server takedown, known as Operation b58, is the sixth botnet disruption operation in three years by Microsoft as part of its Project MARS (Microsoft Active Response for Security) programme and the second done in co-operation with Symantec, Boscovich adds.