Bamital is spread as a malicious infection within P2P networks, and via drive-by downloads on pornographic websites. In the latter case, users visiting malicious pages would be redirected to other sites hosting exploit kits – in this case almost exclusively the Phoenix EK. Phoenix would then attempt to leverage any one of a number of vulnerabilities to install Bamital.
The takedown followed a lawsuit filed by Microsoft with support from Symantec on January 31. “The court granted Microsoft’s request,” says the official Microsoft blog, “and on February 6, Microsoft – escorted by the U.S. Marshals Service – successfully seized valuable data and evidence from the botnet. The evidence was taken from web-hosting facilities in Virginia and New Jersey.”
Bamital “was being used to hijack people’s search results and take them to potentially dangerous websites that could install malware onto their computer, steal their personal information, or fraudulently charge businesses for online advertisement clicks,” explains Microsoft. “If you have been impacted by this botnet,” (Microsoft estimates that more than 8 million computers have been infected) it continues, “you will be notified the next time you try and run a search using your preferred provider.” It simply means that users will need to scan their systems with an up-to-date mainstream anti-virus product to get clean.
This approach, effectively using the C&C servers to reach the individual bots, will ensure that the entire botnet is eliminated rather than just the C&C servers. It will prevent criminals trying to resurrect the existing network from different servers in the future – a problem that exists where takedowns only involve the servers.
The main cost from Bamital – which Symantec warns “is not the largest click fraud botnet in existence" – is to the advertiser and search providers rather than the infected user. It causes increased cost to the advertiser without any chance of increased sales. Since there is no direct cost to the user, it can remain undetected on the PC (although most anti-virus products will detect and remove it).
But it is not entirely without threat to the user. Microsoft describes it as “much like being coerced through a dark alleyway” leaving the user open to many other threats. In one instance a search for ‘Nickelodeon’ was rerouted to a malicious site distributing malware; in another, ‘Norton’ was redirected to a fake AV site.
Symantec warns that the Bamital takedown is not the end of the click-fraud threat. “There are millions of computers hijacking legitimate searches as well as generating non-human network traffic... Overall, click fraud malware contributes estimates of millions of dollars to the underground economy.”