On Feb. 6, U.S. Marshals joined by Microsoft entered data centers in Virginia and New Jersey to shut down the Bamital botnet and seize evidence.
“Our research shows that the Bamital botnet was active worldwide, although the majority of activity affected the United States and Europe,” said Richard Boscovich, assistant general counsel, Microsoft Digital Crimes Unit.
The Bamital botnet is centered around malware that redirects user searches. Users searching for a given query would be sent to a site that delivers malware. Boscovich told eSecurity Planet that the Bamital malware itself did not directly drop any kind of trojan or information-stealing malware on user PCs.
“However, because the criminals behind Bamital were hijacking people’s search results and secretly taking them to places online they never intended to go, people whose computers are infected with Bamital are more vulnerable to becoming targeted for other crimes, such as identity theft and additional malware infections,” Boscovich said. “This means that computers that are infected with Bamital could also be infected with other malware.”
In one test case, Boscovich noted that researchers discovered that an official Norton Internet Security page that appears in a list of search results was redirected to a rogue antivirus site.
“Furthermore, in another instance, a search for Viagra redirected our investigators to the website of another company selling Viagra,” Boscovich said. “Based on Microsoft’s case involving the takedown of the Rustock botnet, it is known that online vendors often sell counterfeit or entirely fake pharmaceuticals, which poses a danger to public health.”