Massive search fraud botnet seized by Microsoft and Symantec

Users with computers infected by the Bamital botnet malware will see this page every time they click a search result.

A botnet that redirected clicks from millions of PCs has been shut down by Microsoft and Symantec, at least for the moment. Based on the fraudulent traffic generated by the Bamital botnet, the two companies estimate that its operators netted more than $1 million a year by redirecting unsuspecting computer users to websites they didn't intend to go, cashing in on the traffic with online advertising networks.

Acting on a court order they obtained from the US District Court in Alexandria, technicians from the two companies—accompanied by federal marshals—showed up at two data centers today to take down the servers controlling the Bamital botnet. A server in an ISPrime data center in Weehawken, New Jersey was seized, while the operators of a LeaseWeb data center in Manassas, Virginia voluntarily shut down a server at the company's headquarters in the Netherlands. LeaseWeb is providing an image of that server to Microsoft and Symantec. "These servers were command and control servers and were also absorbing the malicious traffic the botnet was creating," said Vikram Thakur,  principal security response manager at Symantec in an interview with Ars.

Richard Boscovich, Microsoft's general counsel, said that while the malware had been identified as far back as 2011, nailing down the exact servers they needed to go after took some time. "The malware was morphing back and forth, so it made it difficult to identify the targets," he said. But when the botnet stabilized a few months ago, "it offered a window of opportunity to go after them. The legal portion took about two months."

Read 9 remaining paragraphs | Comments