Security Advisor
Microsoft and Symantec Team Up in Botnet Takedown
But, as history shown us, the "Bamital" ring may be down, but it'll probably be back.
News of another high-profile botnet ring smackdown by Microsoft broke last week. The recent target was the "Bamital" ring, responsible for infecting up to 8 million PCs in the past two years and scamming over $1 million.
Riding shotgun for the takedown was Symantec, which, in actuality, did most of the prep work. Symantec had been tracking the botnet ring and its leaders, believed to be spread out in Russia, Great Britain, Australia and the U.S.
How the operation worked was that Web domains were bought with phony credit card and contact information. Then, once advertisement were sold on these sites, infected computers would be redirected to them -- causing the click rate (and the rate of profit) to rise.
Once it had a strong enough case and clear evidence of the operation's goals and procedures, Symantec turned to Microsoft, which has the means and knowhow to take these operations down (Microsoft has teamed up with multiple law enforcement agencies and security experts to bring down six of the largest botnet operations in the past three years), for legal help.
Microsoft filed a lawsuit and on Feb. 6 was granted access to Web-hosting facilities in New Jersey and Virginia. From there, Microsoft was able to use information obtained to shut down the ring and take over the command and control (C&C) servers.
Now comes the cleanup.
"Taking down the Bamital botnet is the first step in protecting people," said Richard Domigues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, in a blog post. "It's important to note that while the cybercriminals in this case used the Bamital malware to break victims' search experience, it was done in such a sneaky way that most victims wouldn't have even noticed a problem while the botnet was still operating. However, because the takedown severed the cybercriminals' ability to manipulate and control Bamital-infected computers, victims will likely become visibly aware that their search function is broken as their search queries will time out."
Those searching with infected systems will be redirected to Microsoft and Symantec sites that provide information and tools for removing the malware.
While Microsoft and Symantec's commitment to thwarting these rings is commendable, the problem (and a problem that may not have a solution) is that they're only treating the symptom, while, in most cases, the ringleaders get away to fight another day.
A perfect case in point was the recent news that the Kelihos botnet, which was shut down by Microsoft and Kaspersky Labs in 2011 and then again in 2012, has once again reared its ugly head online.
"Researchers are tracking a new version of the Kelihos botnet, one that comes complete with better resistance to sinkholing techniques and a feature that enables it to remain dormant on infected machines for long periods to help avoid detection," said a Kaspersky blog post. "The botnet also is using an advanced fast-flux capability to hide the domains it uses for command-and-control and malware distribution."
So the cycle begins again. I'm assuming that Kaspersky is currently gathering evidence, legal actions will be taken and the ring will be temporarily brought down.
Is there any preventative, offense-based actions companies like Microsoft and Symantec can take when dealing with these international illegal rings? Or is defensive cleanup the only course of action? Share your thoughts in the comments below or at [email protected].