Massive search fraud botnet seized by Microsoft and Symantec

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been shut down by Microsoft and Symantec, at least for the moment. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn't intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company's headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. "These servers were command and control servers and were also absorbing the malicious traffic the botnet was creating," said Vikram Thakur,  principal security response manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft's general counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. "The malware was morphing back and forth, so it made it difficult to identify the targets," he said. But when the botnet stabilized a few months ago, "it offered a window of opportunity to go after them. The legal portion took about two months."

Read 9 remaining paragraphs | Comments

TOGAF Demystification Series: Overview


Confusedfew weeks back I sat in on a TOGAF 9.1 training course that I had my team ramp up on. This training was two fold, up-level the knowledge of enterprise architecture team on EA methods and it also served as a tool to understand the gaps in our own EA Framework (which is based on TOGAF) and enhance for our next stage of maturity.  

Throughout the training I observed several misconceptions, open questions and even some concerns with TOGAF. As I sat and listened I reflected on what I've heard about TOGAF in the past. They were all very similar to the debates I hear on Linkedin, Twitter, blogs and many other forums. Some have a lot of merit while others not so much. 

So, I jotted a few of the big ones down with a little bit of context and thought I would generalize them into something that would be useful for all of you to leverage or learn about. I am going to check the EA dogma at the door and be as factual as possible. It's important for us to factually all about this topic and not get burdened by option or bias. 

 Below are the myths or facts I will create posts for in this TOGAF Demystification series. Expect this to flow out over the course of the next few weeks:

  1. TOGAF Sucks:  Incomplete and Complex
  2. TOGAF vs. [Insert Architecture Framework Here]: What you need to know about comparing frameworks
  3. TOGAF Certification is a Weak
  4. TOGAF Certification = Enterprise Architecture Certification
  5. TOGAF = Open Group
  6. TOGAF is too Ridged and Academic 
  7. TOGAF is a Framework
  8. TOGAF is Enterprise IT Architecture (EITA) not Enterprise Architecture (EA)

If there are any other topic you want me to cover, please leave a comment. I would love to hear your thoughts as well. 

Bamital Bites the Dust

Today we are pleased to announce the successful takedown of the Bamital botnet. Symantec has been tracking this botnet since late 2009 and recently partnered with Microsoft to identify and shut down all known components vital to the botnet's operation.

Bamital is a malware family whose primary purpose is to hijack search engine results, redirecting clicks on these results to an attacker controlled command-and-control (C&C) server. The C&C server redirects these search results to websites of the attackers' choosing. Bamital also has the ability to click on advertisements without user interaction. This results in poor user experience when using search engines along with an increased risk of further malware infections.

Bamital’s origin can be tracked back to late 2009 and has evolved through multiple variations over the past couple of years. Bamital has primarily propagated through drive-by-downloads and maliciously modified files in peer-to-peer (P2P) networks. From analysis of a single Bamital C&C server over a six-week period in 2011 we were able to identify over 1.8 million unique IP addresses communicating with the server, and an average of three million clicks being hijacked on a daily basis. Recent information from the botnet shows the number of requests reaching the C&C server to be well over one million per day.

Clickfraud, the name used for the type of fraud committed by Bamital, is the process of a human or automated script emulating online user behavior and clicking on online advertisements for monetary gain. Bamital redirected end users to ads and content which they did not intend to visit. It also generated non-human initiated traffic on ads and websites with the intention of getting paid by ad networks. Bamital was also responsible for redirecting users to websites peddling malware under the guise of legitimate software. The following video illustrates how Bamital exploits the online advertising model:

Default Chromeless Player

Bamital is just one of many botnets that utilize clickfraud for monetary gain and to foster other cybercrime activities. Many of the attackers behind these schemes feel they are low risk as many users are unaware that their computers are being used for these activities. This takedown sends a message to those attackers that these clickfraud operations are being monitored and can be taken offline.

For further details on Bamital's activities you can download a copy of our whitepaper.

Details on recovering from a Bamital infection are available here: Users of Symantec security products with current definitions are already protected against Bamital and its variants.

Symantec Security Response would like to acknowledge Spain's Civil Guardia, Catalunyan CERT (CESICAT), and Microsoft for assisting us in understanding and ultimately bringing this botnet to its demise.

HTML holes exposed sensitive data for “private” Steam user accounts

Valve has remedied a major potential privacy issue with the Steam Community website after it was brought to the company's attention by Ars. The flaw allowed anyone to view game purchase history, achievement history, recent play time, and more—even for Steam users that had set their profiles to private.

I recently discovered the privacy hole when fiddling with Steam's profile settings and examining the source code behind the site. Since the problem exposed potentially sensitive data about Steam users, the examples cited in this article will primarily be from my personal profile. That said, we independently confirmed that the privacy hole applied to any profile that was set to "Private" or "Friends only." Many such profiles could be easily discovered using Google without prior knowledge of the user's Steam ID number or name.

Out of respect for the privacy of Steam's more than 50 million users, we did not immediately publish our discovery of this privacy hole. Instead, we documented the problem and notified Valve of the issue late on Monday evening. Within three hours of sending our message, our spot checks showed that the problem appeared to be remedied.

Read 10 remaining paragraphs | Comments