Bamital botnet has been taken down

[SFSxOI]

The Bamital botnet malware has been in existance in varients since 2011 with different varient generations of the malware. It redirected users of infected computers to web pages which they did not intend to visit when they clicked on a search result which in turn allowed its controllers to reap profits from traffic with on line advertisers. This botnet hijacking and click fraud scheme affected search results from major search engines and for all browsers, including the search engines of Microsoft, Yahoo and Google and all known browser versions including all versions of Firefox and Internet Explorer. It is possible you may have been infected and not know as the malware did not affect each computer the same exact way each time (due to variation generational differences in the malware) but did affect all which were infected and at some point a search result ended up on a web page the infected system user did not expect. There have been several generations of Bamital which date back at least three years. Millions of systems were/are affected unknown to the users of those systems.

The earliest versions used HTML injection. The malware quickly evolved and later variants simply redirected a click on a search page to the botnet's servers which in turn used HTML redirects to feed the traffic into an advertising network clearinghouse for other advertiser networks so a click could go through several sets of redirects unknown to the infected computer user before it actually landed on a website.

The majority of systems infected were the victim of "driveby downloads" from websites configured with malicious software (some of which installed silently without the victims knowledge) intended to exploit browser security flaws in all browsers as the malware botnet operators polluted search engine results for certain search terms with links to servers with various exploits.

This botnet was taken down by Microsoft and Symantec technicians accompanied by U.S. Federal Marshals after investigation completion. The command and control servers were located at the ISPrime data center in Weehawken, New Jersey, and at a LeaseWeb server at the LeaseWeb company headquarters in the Netherlands. The server at ISPrime was seized directly as evidence via court order obtained from the U.S. District Court in Alexandria, Virginia, and an image of the LeaseWeb server has been provided by LeaseWeb and has been taken into evidence. The situation is being monitored for any other command and control servers which may appear. It took a while for the command and control servers to be pinned down because the malware was evolving and the botnet command and control servers seemed to be moving around, however, they finally got pinned down and the botnet is now off line and Microsoft has taken control of the command and control servers.

Signatures for antivirus packages are beginning to appear, however, the two cleaning methods readily and presently available as of the date and time of this writing are the Microsoft Safety Scanner and Norton Power Eraser both of which now contain the capability to detect and remove Bamital.

The Microsoft Safety Scanner is located here > http://www.microsoft.com/security/scann ... fault.aspx

The Norton Power Eraser is located here > https://www.norton.com/bamital

We recommend you use one of the above solutions to scan, and if necessary clean, your computer. Both of these scanning/cleaning solutions are free (you only need to use one of them, not both).

Microsoft has taken full control of the command and control servers and set them up so that every time someone using a system infected with Bamital conducts a search query they get redirected to a Microsoft web page warning them they are infected and giving instructions for removal with links to the two solutions above. The redirect is a legitimate web page to help people rid their systems of the malware because if it remains its possible that other command and control servers comming on line and controlled by the botnet operators could activate the malware again and update it for causing more malicious acts. However, this re-direct mainly affects those with the latest generations of the malware infecting their systems and those infected with older generations of the malware may not get re-directed and thus receive no warning they are infected. The older generations of the malware had different command and control servers which were abandoned (have been dormant) by the botnet operations as the malware evolved so although you may not be re-directed if infected its possible those past abandoned command and control servers could be re-activated and cause further harm other than the original form involving searches to systems in different forms unknown to the affected system user until its too late. The solutions above will remove all currently known generations of the malware if it exists on a system, its recommended one of the solutions above be used to make sure a system is not infected with any generation varient/version of the malware.

(as a side note, you'd never guess what the original prototype proof of concept code (for inclusion in) of the above cleaning/removal solutions were coded with (well, you can guess but I will neither confirm or deny). They almost did not get deployed this soon due to certain english wording and grammar issues with certain documentation items for the coding language used for the original prototype proof of concept code, proper wording and grammar is important and can affect millions of people)

[c4s]

[...] you'd never guess what the original prototype proof of concept code of the above cleaning/removal solutions were coded with

Nice!

[Little John]

My guess is: BurePasic.

[Zebuddi123]

Thanks SFSxOI

Zebuddi.