From: Reuters News Service
Software makers Microsoft Corp and Symantec Corp said they
disrupted a global cybercrime operation by shutting down servers that
controlled hundreds of thousands of PCs without the knowledge of their users.
The move made it temporarily impossible for infected PCs around
the world to search the web, though the companies offered free tools to clean
machines through messages that were automatically pushed out to infected
computers.
Technicians working on behalf
of both companies raided data centers in Weehawken, N.J., and Manassas, Va.,
accompanied by U.S. federal marshals, under an order issued by the U.S.
District Court in Alexandria, Va.
They seized
control of one server at the New Jersey facility and persuaded the operators of
the Virginia data center to take down a server at their parent company in the
Netherlands, according to Richard Boscovich, assistant general counsel with
Microsoft's Digital Crimes Unit.
Boscovich told
Reuters that he had "a high degree of confidence" that the operation
had succeeded in bringing down the cyber crime operation, known as the Bamital
botnet.
"We
think we got everything, but time will tell," he said.
The servers
that were pulled off line on Wednesday had been used to communicate with what
Microsoft and Symantec estimate are between 300,000 and 1 million PCs currently
infected with malicious software that enslaved them into the botnet.
HIJACKING
SEARCHES
The
companies said that the Bamital operation hijacked search results and engaged
in other schemes that the companies said fraudulently charge businesses for
online advertisement clicks.
Bamital's
organizers also had the ability to take control of infected PCs, installing
other types of computer viruses that could engage in identity theft, recruit
PCs into networks that attack websites and conduct other types of computer
crimes.
Now that the
servers have been shut down, users of infected PCs will be directed to a site
informing them that their machines are infected with malicious software when
they attempt to search the web.
Microsoft
and Symantec are offering them free tools to fix their PCs and restore access
to web searches via messages automatically pushed out to victims.
The messages
warn: "You have reached this website because your computer is very likely
to be infected by malware that redirects the results of your search queries.
You will receive this notification until you remove the malware from your
computer."
It was the
sixth time that Microsoft has obtained a court order to disrupt a botnet since
2010. Previous operations have targeted bigger botnets, but this is the first
where infected users have received warnings and free tools to clean up their
machines.
Microsoft
runs a Digital Crimes Unit out of its Redmond, Washington, headquarters that is
staffed by 11 attorneys, investigators and other staff who work to help law
enforcement fight financial crimes and exploitation of children over the web.
Symantec
approached Microsoft about a year ago, asking the maker of Windows software to
collaborate in trying to take down the Bamital operation. Last week they sought
a court order to seize the Bamital servers.
The two
companies said they conservatively estimate that the Bamital botnet generated
at least $1 million a year in profits for the organizers of the operation. They
said they will learn more about the size of the operation after they analyze
information from infected machines that check in to the domains once controlled
by Bamital's servers.
Their
complaint identified 18 "John Doe" ringleaders, scattered from Russia
and Romania to Britain, the United States and Australia, who registered
websites and rented servers used in the operation under fictitious names. The
complaint was filed last week with a federal court in Alexandria and unsealed
on Wednesday.
The
complaint alleges that the ringleaders made money through a scheme known as
"click fraud" in which criminals get cash from advertisers who pay
websites commissions when their users click on ads.
Bamital
redirected search results from Google, Yahoo and Microsoft's Bing search
engines to sites with which the authors of the botnet have financial
relationships, according to the complaint.
The
complaint also charges that Bamital's operators profited by forcing infected
computers to generate large quantities of automated ad clicks without the
knowledge of PC users.
Symantec
researcher Vikram Thakur said Bamital is just one of several major botnets in a
complex underground "click fraud ecosystem" that he believes
generates at least tens of millions of dollars in revenue.
He said that
researchers at will comb the data on the servers in order to better understand
how the click fraud ecosystem works and potentially identify providers of
fraudulent ads and traffic brokers.
"This
is just the tip of the iceberg in the world of click fraud," said Thakur.
Boscovich
said he believes the botnet originated in Russia or Ukraine because affiliated
sites install a small text file known as a cookie that is written in Russian on
infected computers.
The cookie
file contains the Russian phrase "yatutuzebil," according to the
court filing. That can loosely be translated as "I was here," he
said.
Microsoft
provided details on the takedown operation on its blog.
(Reporting
By Jim Finkle; Editing by Claudia Parsons and Leslie Gevirtz)
Original Reuters Article
Keep up with new posts on this blog: Sign up for Email alerts Here