A massive botnet that infected millions of PCs and redirected clicks through other websites and ad networks was discovered and taken down by Microsoft and Symantec – with help from U.S. marshals. It is estimated that the operators of the botnet were able to bring in a $1 million dollar paycheck each year. Both Microsoft and Symantec agree that figure could even be higher – as much as three times.
Although the botnet was discovered as early as 2009, it took considerable time to trace it back to its origin. That day came February 6, 2013. Federal marshals, accompanied by personnel from Symantec and Microsoft, strolled into two datacenters and closed down the servers, one in New Jersey and the other server, located in The Netherlands, was voluntarily shut down once the hosting provider was notified. Eighteen “John Does” were named in a lawsuit filed Jan.18 in the U.S.District Court, but no arrests have been made.
The Bamital botnet, as it is known, infected millions of computers around the world mostly through malicious files and drive-by downloads. Once the malware had infected a computer it communicated with a command-and-control (C&C) server to serve its own search results to user queries, redirecting them to ad networks and websites that allowed the perpetrators to profit from the clicks. It would also send them to sites they didn’t intend to go, mostly shady websites that were being used for identity theft and other forms of fraud. In the official report, Microsoft and Symantec indicated that specific search queries would redirect users to a different website, often in an attempt to hijack clicks or further distribute new malware. For example, when “Nickelodeon” was used to pull up search results, users would be redirected to a website that infected the PC with spyware that allowed the unknown group to track the online activity of the owner. In another instance, users were sent to fake antivirus websites. At one point, Symantec discovered that 3 million clicks per day were being hijacked.
Now that the botnet has been taken offline and is under the control of authorities, infected PC users are being redirected to a new page – a warning screen from Microsoft informing them of the infection and giving them tools to erase the malware. Here is a screenshot of what infected PC owners got from Microsoft:
Click fraud was the main goal of Bamital. Online ad networks, like Google Adwords, pay publishers for clicks they receive on ads displayed on their websites. The scam works by utilizing malware that redirects users to specific websites and mimics human behavior by clicking on ads, unbeknownst to the user. Click fraud not only defrauds ad networks, but it lowers the quality of search results and puts people at risk of identity theft and other forms of fraud.
There are a number of ways people can protect themselves from frauds such as this, most involve using common sense. File-sharing sites are notorious for distributing malware and trojans. It goes without saying that you shouldn’t be downloading files from untrustworthy sites – especially executable (.exe) files. You should also maintain an up-to-date antivirus software on all of your computers and make sure everyone that uses your PC has the same browsing habits.
Need help with DDoS Protection? We can help!