Software makers Microsoft Corp and Symantec Corp said they disrupted a
global cyber-crime operation by shutting down servers that controlled
hundreds of thousands of PCs without the knowledge of their users.
The
move made it temporarily impossible for infected PCs around the world
to search the web, though the companies offered free tools to clean
machines through messages that were automatically pushed out to infected
computers.
Technicians working on behalf of both companies raided
data centers in Weehawken, New Jersey, and Manassas, Virginia, on
Wednesday, accompanied by U.S. federal marshals, under an order issued
by the U.S. District Court in Alexandria, Virginia.
They seized
control of one server at the New Jersey facility and persuaded the
operators of the Virginia data center to take down a server at their
parent company in the Netherlands, according to Richard Boscovich,
assistant general counsel with Microsoft's Digital Crimes Unit.
Boscovich
told Reuters that he had "a high degree of confidence" that the
operation had succeeded in bringing down the cyber crime operation,
known as the Bamital botnet.
"We think we got everything, but time will tell," he said.
The
servers that were pulled off line on Wednesday had been used to
communicate with what Microsoft and Symantec estimate are between
300,000 and 1 million PCs currently infected with malicious software
that enslaved them into the botnet.
Hijacking searches
The
companies said that the Bamital operation hijacked search results and
engaged in other schemes that the companies said fraudulently charge
businesses for online advertisement clicks.
Bamital's organizers
also had the ability to take control of infected PCs, installing other
types of computer viruses that could engage in identity theft, recruit
PCs into networks that attack websites and conduct other types of
computer crimes.
Now that the servers have been shut down, users
of infected PCs will be directed to a site informing them that their
machines are infected with malicious software when they attempt to
search the web.
Microsoft and Symantec are offering them free
tools to fix their PCs and restore access to web searches via messages
automatically pushed out to victims.
The messages warn: "You have
reached this website because your computer is very likely to be infected
by malware that redirects the results of your search queries. You will
receive this notification until you remove the malware from your
computer."
It was the sixth time that Microsoft has obtained a
court order to disrupt a botnet since 2010. Previous operations have
targeted bigger botnets, but this is the first where infected users have
received warnings and free tools to clean up their machines.
Microsoft
runs a Digital Crimes Unit out of its Redmond, Washington, headquarters
that is staffed by 11 attorneys, investigators and other staff who work
to help law enforcement fight financial crimes and exploitation of
children over the web.
Symantec approached Microsoft about a year
ago, asking the maker of Windows software to collaborate in trying to
take down the Bamital operation. Last week they sought a court order to
seize the Bamital servers.
The two companies said they
conservatively estimate that the Bamital botnet generated at least $1
million a year in profits for the organizers of the operation. They said
they will learn more about the size of the operation after they analyze
information from infected machines that check in to the domains once
controlled by Bamital's servers.
Their complaint identified 18
"John Doe" ringleaders, scattered from Russia and Romania to Britain,
the United States and Australia, who registered websites and rented
servers used in the operation under fictitious names. The complaint was
filed last week with a federal court in Alexandria and unsealed on
Wednesday.
The complaint alleges that the ringleaders made money
through a scheme known as "click fraud" in which criminals get cash from
advertisers who pay websites commissions when their users click on ads.
Bamital
redirected search results from Google, Yahoo and Microsoft's Bing
search engines to sites with which the authors of the botnet have
financial relationships, according to the complaint.
The complaint
also charges that Bamital's operators profited by forcing infected
computers to generate large quantities of automated ad clicks without
the knowledge of PC users.
Symantec researcher Vikram Thakur said
Bamital is just one of several major botnets in a complex underground
"click fraud ecosystem" that he believes generates at least tens of
millions of dollars in revenue.
He said that researchers at will
comb the data on the servers in order to better understand how the click
fraud ecosystem works and potentially identify providers of fraudulent
ads and traffic brokers.
"This is just the tip of the iceberg in the world of click fraud," said Thakur.
Boscovich
said he believes the botnet originated in Russia or Ukraine because
affiliated sites install a small text file known as a cookie that is
written in Russian on infected computers.
The cookie file contains
the Russian phrase "yatutuzebil," according to the court filing. That
can loosely be translated as "I was here," he said.
Microsoft provided details on the takedown operation on its blog.
© Thomson Reuters 2013