For the first time, a major botnet take-down has included direct victim notification that warns users their PCs are infected and shows them how to scrub clean their machines.
Yesterday's take-down of the Bamital botnet by Microsoft and Symantec wasn't news. Microsoft has shut down six, including Bamital, in the last three years, including several very large networks of compromised computers such as Waledac in 2010, and Rustock in 2011. And it's worked with Symantec on a botnet-destroy mission before.
[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
Instead, Microsoft and Symantec co-opted Bamital's communication mechanism to add a new twist to the take-down: Each victim is warned when they click on a bogus search result generated by the malware.
"We decided to push the envelope," said Vikram Thakur, principal security response manager with Symantec, in an interview today. "Some degree of notification is almost always possible, but this time we had a technical advantage because the browser was being used by the malware."
That advantage, explained Thakur, was in how the malware redirected victims' search requests. After clicking on legitimate search results in Microsoft's Bing search engine, as well as those operated by Google and Yahoo, users were shunted to Bamital's C&C servers, where browsers were then sent toward bogus results.
The ploy, called "search hijacking," provided Bamital's operators with millions in revenue from so-called "click fraud" schemes, where miscreants artificially pump up the clicks on an online advertising network, earning money for their illicit efforts.
With control of the botnet's C&C servers -- a federal court order allowed Microsoft to seize those systems -- that once-shunted traffic has been intercepted by Microsoft, then sent to a special Web page created by it and Symantec. The page tells users that their Windows PC is probably infected with Bamital, and provides links they can copy and paste into their browser to a pair of clean-up tools from Microsoft and Symantec.
"Victims will notice a problem with their search experience now that the botnet has been taken down," explained Richard Boscovich, assistant general counsel in Microsoft's digital crimes unit, in an email reply to questions. "Because the take-down of this botnet severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will become visibly aware that their search function is broken as their search queries will time out. In order for the victims' search experiences to work properly again, they will need to clean their computers from the Bamital malware."
Only the traffic that was being illegally redirected by Bamital is being captured by Microsoft, and sent to the warning/clean-up page, said Thakur. "We don't see any but that, and we don't want to," he said.
Microsoft asked for, and received, court approval to reach out directly to victims in this take-down.