Microsoft and Symantec have shut down a massive click fraud botnet known as Bamital, numerous variants of which have been in circulation since 2009 amassing several million dollars in fraudulent profit for the attackers as well as spreading more malware including scareware.
The botnet thrived on hijacking clicks on targeted search engine results pages, Symantec said. Clicks on ads and malicious links were redirected to the attacker’s server, which correlates the search phrase and where the click came from to redirect the victim.
“As an example, if the end user searched for antivirus and the search engine intended to send the user to a page owned by Symantec, the attacker-controlled server would use this information in its decision logic to redirect the user’s compromised computer to a third-party website that uses the Symantec brand name and peddles fake antivirus programs,” wrote Symantec’s Piotr Krysiuk and Vikram Thakur in a white paper released today. “By doing so, Bamital’s operators assume the role of ad-networks and get paid by the advertisers.”
The botnet also generates clicks by pretending to be a search engine; users’ browser sessions are hijacked and redirected to a set of attacker-owned results. The malware will then click on the search results in a self-initiated browser session.
“While executing this technique, computer users do not see the browser window in use and may not even be aware of the network traffic since the behavior happens in the background,” the Symantec report said. “This routine allows Bamital operators to assume the role of traffic brokers being able to generate and sell traffic from fictitious users to a vendor of their choice.”
Users may experience degraded system performance, or could be infected again visiting a malicious site hosting additional malware.
“While the Bamital botnet defrauded the entire online advertising platform, which is what allows the Internet and many online services to be free, what’s most concerning is that these cybercriminals made people go to sites that they never intended to go and took control of the computer away from its owner,” said Microsoft Digital Crimes Unit assistant general counsel Richard Boscovich. “Much like being coerced through a dark alleyway, this redirection would leave the person whose computer was already infected with Bamital more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections.”
Microsoft said this is the sixth botnet takedown it has been involved in during the past three years, and the second with Symantec. Boscovich said Microsoft filed a lawsuit on Jan. 31 against the botnet operators that would allow it to cut off communication between the botnet and compromised computers. On Feb. 6, following a court order, Microsoft and the U.S. Marshals Service seized data and evidence from Web hosts in Virginia and New Jersey.
Microsoft said that search functionality on infected computers will be broken; the two companies said they have begun informing victims; search queries will be directed to an official Microsoft and Symantec webpage explaining the situation and how to remove the malware, in conjunction with ISPs and CERT teams.
Symantec said Bamital activity peaked in late 2011 and 2012. Users were infected either via drive-by download attacks, or malicious applications downloaded from peer to peer networks. Compromised pornography sites were primarily responsible for the drive-by infections; users were redirected to attack sites hosting the Phoenix exploit pack, among others, that would install the Bamital Trojan on machines. The exploit packs would also set a cookie called “yatutuzebil” which translates in Russian to “I was here already.”
Symantec said there are three modules present in Bamidal infections; one is the framework for the two other components, as well as receiving updates from command and control servers to located updated versions of the remaining modules. Another module monitors and hijacks search engine results performed on Google, Yahoo and Bing. Clicks on results are hijacked by this module and redirected to an attack site, which then results in a page of the attacker’s choosing, Symantec said.
The remaining module creates traffic without the need for user interaction; it clicks on pages and ads in the background of a web session. It also communicates with C&C servers for instructions on which sites or ads to click on in order to generate revenue.
Symantec, working with CESICAT and Spain’s Guardia Civil analyzed a C&C server and learned the size of the botnet and additional insight into the operation. Symantec said the operators were Russian or Eastern European and a peek into the server’s log files revealed more than 1.8 million unique IP addresses connecting over the course of one month. Daily, there were up to 120,000 connections from more than 200 countries, most from the United States. Those 120,000 connections resulted in three million clicks and lots of profit.
“Considering Bamital is not the largest click fraud botnet in existence, the sheer size of 1.8 million unique IP addresses within a single month of operation puts the magnitude of click fraud botnets into perspective,” Symantec said. “There are millions of computers hijacking legitimate searches as well as generating non-human network traffic. The exact amount of loss being incurred by legitimate organizations is impossible to gauge.”