Bamital botnet dismantled, as Microsoft seizes control of malware servers

Filed Under: Fake anti-virus, Law & order, Malware, Microsoft

If any of your computers showed you a screen like this today, you can thank Microsoft.

And you *should* thank them, as chances are that those computers are infected by malware called Bamital.

Bamital malware notification

As Reuters reports, Security experts at Microsoft, working with others in the computer security industry, have disrupted a botnet being used by the Bamital malware family.

On Wednesday, data centers in Weehawken, New Jersey, and Manassas, Virginia, were raided by US Marshals, accompanied by Microsoft investigators, and web servers used by cybercriminals were seized.

Experts secure digital evidence of the Bamital botnet at a web-hosting facility in New Jersey

Malware used by the Bamital botnet hijacked unsuspecting users' Windows computers, creating false online advertising clicks, intercepting searches and redirecting users to websites designed to infect PCs with spyware.

A Microsoft blog post about the botnet takedown gives an example of how users who thought they were clicking on a search result taking them to the official Norton Internet Security webpage were in fact redirected to a website purveying fake anti-virus software.

It is estimated that, at its height, the botnet consisted of seven million hijacked computers, generating the gang behind it over £700,000 per year.

With the Bamital servers taken down, users of affected PCs are now directed to a webpage set up by Microsoft and Symantec, informing victims their computers are likely to be infected with malware.

Part of Bamital malware notification

Didn't expect this page?

You were likely trying to conduct a web search before you got to thjis page, however your computer is believed to be infected with malware known as bamital, which interferes with web search. Please read and follow the instructions on this page to resolve this issue.

Why am I here?

You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.

Any good, up-to-date, anti-virus program should be able to detect and help you clean-up a Bamital infection on your computer. You can either use the tools that Microsoft recommends, or try Sophos's free virus removal tool.

It's great to see life being made more difficult for the cybercriminals, and this action bringing down the botnet has to be applauded. When the computer security authorities and law enforcement agencies work together, we can really raise the heat on the bad guys.

Ultimately, however, the most important thing will be to bring the perpetrators to justice - not just bring down their web servers. We need to catch those who write the malware, sell the malware, buy the malware, and those who profit from the botnet.

Unless the culprits are brought to justice, the crimes are likely to continue.

Further reading: Symantec's technical paper on Bamital [PDF]

, , , , ,

You might like

13 Responses to Bamital botnet dismantled, as Microsoft seizes control of malware servers

  1. cassandratoday · 968 days ago

    I can tell the difference, but how can Mom & Pop users tell that the MS page is legitimate, and not just another scareware scam page?

    • Notme · 968 days ago

      It's not important if Mom and Pop users think it is scareware. What is important is that they realize they have a virus since they see the page and take action to clean up their computer.

    • Paul Ducklin · 968 days ago

      They can't, of course, but since the advice is rather different from how the average scareware behaves, we have to hope that it makes Mum & Dad more thoughtful about how to react to on-screen alerts about malware in future.

      In particular, the advice here doesn't try to coerce them in short order into buying something on the basis of fear.

      Instead, it urges them gently to take stock of the situation, and to look around for someone or something to help them. That's a very different approach to grabbing the next product that comes along, and...oh, look! Here's one now!

      In short, if they do follow this advice, they will very likely end up sorted out, and they will (let us hope) realise that "stop - look - listen" is better kerbside advice when you want to cross the road than "blinkers on - run like crazy" :-)

  2. gmd · 968 days ago

    How long before the cyber criminals use this notice as a trap to encourage users to upload more malware?

    • roy jones jr · 963 days ago

      Then the next message Microsoft creates will be different?

  3. Nigel · 968 days ago

    "...bring the perpetrators to justice" is often an ambiguous phrase. I agree that merely bringing down their servers is not enough. But catching those who write the malware, sell the malware, buy the malware, and reap plunder from the botnet is not enough either (it's not profit because it involves crime; profit is not a crime). If "bringing the culprits to justice" always required them to make good on the losses they cause, I agree that such crimes would be far less likely to continue.

    • Paul Ducklin · 968 days ago

      One of the accused in the DNSChanger case (technically, he's no longer merely accused as he recently pleaded guilty) faces, if I have read correctly, the prospect of a largish court order to make good the losses he caused.

      His posse (five other suspects in this case) is alleged to have made $14m at least out of fraudulent DNS redirection; he, apparently, faces paying back up to $7m.

      Problem is, at least according to his lawyer, that he's broke. Blew all the money, I suppose.

      Not sure how you deal with that...

      • Wolf_Star · 967 days ago

        Unfortunately, there's nothing that the law, per se, can do about it. Fines and incarceration are laughable punishments to these cybercriminals. So long as the money is flowing and their chances of being caught virtually nil, we can expect more and more of their kind.

      • Nigel · 967 days ago

        Well, he's facing jail time anyway, right? So, if he can't make good on the damages immediately, that should make sentencing easy. He can work until he has covered all the losses. That makes it his problem. Give him an incentive (his freedom) to solve it. He's the one who caused it.

  4. dave · 968 days ago

    We should thank Microsoft for detecting a botnet? When the vast majority of botnets run on Microsoft operating systems exclusively (regardless of why this is so) in my opinion they have a duty of care to minimise, if not completely nullify) their impact.

    • Gavin · 967 days ago

      Dave, isn't that like suggesting that Ford should be responsible for stamping out all bad drivers? Manufacturers should (and often do) care very much about how their products are used but I fail to see how they could possibly guarantee that misuse does not happen.

  5. Adam · 967 days ago

    Maybe software writers have a duty to fix vulnerabilities in their code, but MS is going beyond that. More exploits are being found in Java and Adobe products than in Windows, so the MS-battering is getting pretty lame and out of date.

    To expand on Gavin's analogy, its like blaming the road for a defect in a Ford car.

  6. adam · 966 days ago

    Maybe software writers have a duty to fix vulnerabilities in their code, but MS is going beyond that. Over the last few years, more exploits are being found in Java and Adobe products than in Windows, so the MS-battering is getting pretty lame and out of date.

    It is more like blaming the road (Microsoft) for the bad driver(Malware author) in a faulty car (Java)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley runs his own award-winning computer security blog at, and is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Follow him on Twitter at @gcluley