Cybersecurity Wednesdays | Symantec Identifies & Helps Take Down Global Cyber Crime Operation

“You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.”

Today, Symantec and Microsoft technicians, together with U.S. federal marshals, raided data centers in Manassas, VA and Weehawken, N.J., shutting down servers, seizing equipment, preventing users from accessing the internet, and pushing the above message to an estimated one million infected computers. If you were one of those caught in the process, while it may have been inconvenient, you were playing a small part in taking down a very big global cyber crime operation known as the Bamital botnet.

A botnet is a form of hacking whereby computers or mobile devices are infected with the same malware. The malware gives a hacker control of the machines and forces them to work together to perform certain tasks.

Hackers do this by imbedding malicious code into websites and wait for people to click on them – like a browser exploit kit. When a user visits the infected site, the malware is downloaded onto their computer. Although botnets have been around since the late 90s, they are hard to track which makes it easy for people to fall victim. To steal and manipulate a famous movie quote, “If you build the botnet, they will join.”

Bamital profited through “click fraud” – when “a person, automated script or computer program imitates a legitimate user of a web browser clicking on an ad, for the purpose of generating a charge per click without having actual interest in the target of the ad's link.”

Using its horde of eight million zombie computers, Bamital hijacked an average of three million clicks per day during the past two years. Although each click was only worth fractions of a penny, together they generated over a million dollars a year for the 18 identified, but still anonymous, criminals scattered around the world including the U.S.

In most cases – this one included – users have no idea their computers are infected. This allows hackers to profit for years without you even knowing it.

Bamital could use it’s abilities to force its zombie computers to download other viruses. And while the botnet itself was harmless to you, the other viruses could engage in more nefarious personal attacks like identity theft.

Symantec identified Bamital last year and approached Microsoft’s Digital Crimes Unit. Together they worked on gathering evidence and planning a strategy to take down the operation. Last week, with proof in hand, the companies sought a court order, which was granted. With the help of federal marshals, they immediately took action and seized the servers earlier today.

Symantec and Microsoft have not settled for just taking down the operation. They are offering victims free tools to fix their computers and restore their access to the internet.

This was Symantec's second time working with Microsoft to take down a botnet, Microsoft’s sixth time. Although they continue fighting cyber crime, Vikram Thakur, a Symantec researcher, warns, “This is just the tip of the iceberg.” There are still several known botnets, and many more still hidden.

Researches will now examine the confiscated servers to help them understand how criminals are developing the digital ecosystems needed for botnets to grow. They also hope to use their findings to develop tools for preventing future botnets.

The government will hope to use the data to identify the 18 criminals who ran the operation.

Poetically, the only hint at Bamital’s origin was a small cookie text file installed on infected computers. It contained a single Russian word, “yatutuzebil” – a phrase meaning, “I was here.”

The cyber world is a dangerous place. Cybersecurity is not only a concern for people, but governments too. Imagine a botnet that takes command of the computers that control our power grids; the devastation brought on by a botnet turning off the networks air traffic controllers use to monitor our skies.

This event brings up many questions. But I think the most immediate one may be, “Who knew Microsoft had a Digital Crimes Unit?”

You can read more about the Bamital botnet in a whitepaper Symantec released called Trojan.Bamital.


Interested in learning more about cybersecurity? The GovDefenders Virtual Event is a free online cybersecurity conference on April 24. Join us from your desk as experts from NetApp, Symantec, ForeScout, Red Hat, Quest Software, SolarWinds, and DLT Solutions, discuss trends, best practices, and the future of public sector cybersecurity. Register today!