Add the name “Bamital” to the list of oddball terms like Waledec, Rustock, Kelihos, Zeus and Nitol. All are bot networks taken down over the past 2 and a half years by Microsoft in partnership with law enforcement and security companies like Norton by Symantec. You can read about the event here or on our Symantec Response blog.
If you are a loyal Norton customer with fully protected computers, count yourself among the majority of computer users who missed out on the Bamital fun. The million or so folks around the globe who got infected with this malware likely never knew its name before today. Their unprotected computer was probably infected by an unlucky visit to an infected website, a type of infection known as drive-by download. Or they were members of a peer-to-peer network and downloaded the malicious file (probably thinking it was something desirable). Once installed on your computer, Bamital prevents web traffic from operating normally. Instead, if you conduct a web search and try to click on the resulting links, you are taken to fake websites set up by the crooks. The main objective was to generate web traffic and gain revenue from advertising networks. It gets a little confusing so please watch our video to better understand how this might work.
What about the takedown announced today? Did a bunch of GI men burst into a backroom of a bar where the cyber crooks had their lair? That only happens in the movies, my friend. But there is drama of a different sort.
Here’s how the takedown may work
First, security companies like Symantec notice a particular form of malicious software in circulation. They create protection files, called definitions, to prevent their customers from getting infected. Then, they share that information with the rest of the security industry. In special circumstances, the malware operates at a significant level, infecting thousands, possibly millions of innocent computer users anywhere in the world. Money is lost or computer performance is impacted. People begin to notice their computer isn’t working properly or they are blocked from visiting intended websites. Law enforcement may get involved at any stage in this process.
We’ve previously seen collaboration between security companies and law enforcement to stop cybercriminals in their tracks. Often, the easiest approach is to determine the location of servers that are communicating with the malware and break the connection by redirecting that web traffic to law enforcement secured servers. This enables a message to be delivered to the users of infected computers, alerting them to the problem and providing instructions on how to get rid of the malware. It can be a jarring and unusual experience, so ironically, end users may be suspicious of the very people trying to help them.
What to expect
If you are so unlucky as to have been infected with Bamital, you will likely end up visiting a Microsoft sponsored webpage with information about cleaning up the malware. It’s less likely anyone will email you or send you a message in your social network. Everyone should re-confirm they have security software installed and are using up-to-date protection files. We don’t want anyone falling for malicious social-engineered stunts to fool those who don’t have Bamital on their computers into downloading a file that might start the problem all over again.