Microsoft, in partnership with security firm Symantec, announced Wednesday that it has disrupted a botnet known for rerouting victim machines to websites, online advertisements and links of the attackers' choosing.
Over the last two years, a trojan known as Bamital compromised more than eight million computers, redirecting unsuspecting users' search result clicks through its own command-and-control servers.
Last Thursday, Microsoft, which operates a major advertising network, sued the botnet's operators, naming 18 "John Does" as defendants, and asked a judge to cut off any communications between the botnet and compromised PCs. The judge ruled in favor of the complaint (PDF), which was supported by Symantec, and on Wednesday, federal marshals seized evidence related to the botnet from web hosting centers in Virginia and New Jersey.
According to the lawsuit, the defendants are based in Russia, South Korea, the U.K., Czech Republic, as well as a number of U.S. states.
"While the Bamital botnet defrauded the entire online advertising platform, which is what allows the internet and many online services to be free, what's most concerning is that these cyber criminals made people go to sites that they never intended to go to and took control of the computer away from its owner," Richard Boscovich, Microsoft's assistant general counsel, wrote in a blog post. "Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections."
According to Symantec, which has been tracking Bamital since 2009, the trojan infected users' machines when they clicked on a malicious file or simply browsed to a previously compromised website. Once installed, the trojan hijacked search results. That meant that when users received relevant links after a Google or Bing search and clicked on one of them, they were brought to a site they didn't intend to reach. In some cases, they were directed to bogus search results. In addition, the trojan clicked on ads without the user taking any action.
"Click fraud, the name used for the type of fraud committed by Bamital, is the process of a human or automated script emulating online user behavior and clicking on online advertisements for monetary gain," a Symantec Security Response blog post said Wednesday. "Bamital redirected end-users to ads and content which they did not intend to visit. It also generated non-human-initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software."
Botnets are commonly used in click-fraud campaigns. According to Symantec, Bamital's distributors earned money through advertising distributors, which received funds from the victim advertisers.
"Taking down the Bamital botnet is the first step in protecting people," Boscovich wrote. "It's important to note that while the cyber criminals in this case used the Bamital malware to break victims' search experience, it was done in such a sneaky way that most victims wouldn't have even noticed a problem while the botnet was still operating. However, because the takedown severed the cyber criminals' ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out."
Infected machines will now be diverted to an official Microsoft or Symantec website, which will offer instructions on removing the trojan, he said.
Microsoft said this operation, known as b58, is its sixth botnet takedown in the past three years. Legal action lodged by the software giant has led to the dismantling of the Kelihos, Nitol and Zeus botnets, among others.