Bamital botnet dismantled, as Microsoft seizes control of malware servers

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

If any of your computers showed you a screen like this today, you can thank Microsoft.

And you *should* thank them, as chances are that those computers are infected by malware called Bamital.

Bamital malware notification

As Reuters reports, Security experts at Microsoft, working with others in the computer security industry, have disrupted a botnet being used by the Bamital malware family.

Sign up to our free newsletter.
Security news, advice, and tips.

On Wednesday, data centers in Weehawken, New Jersey, and Manassas, Virginia, were raided by US Marshals, accompanied by Microsoft investigators, and web servers used by cybercriminals were seized.

Experts secure digital evidence of the Bamital botnet at a web-hosting facility in New Jersey

Malware used by the Bamital botnet hijacked unsuspecting users’ Windows computers, creating false online advertising clicks, intercepting searches and redirecting users to websites designed to infect PCs with spyware.

A Microsoft blog post about the botnet takedown gives an example of how users who thought they were clicking on a search result taking them to the official Norton Internet Security webpage were in fact redirected to a website purveying fake anti-virus software.

It is estimated that, at its height, the botnet consisted of seven million hijacked computers, generating the gang behind it over £700,000 per year.

With the Bamital servers taken down, users of affected PCs are now directed to a webpage set up by Microsoft and Symantec, informing victims their computers are likely to be infected with malware.

Part of Bamital malware notification

Didn't expect this page?

You were likely trying to conduct a web search before you got to thjis page, however your computer is believed to be infected with malware known as bamital, which interferes with web search. Please read and follow the instructions on this page to resolve this issue.

Why am I here?

You have reached this website because your computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.

Any good, up-to-date, anti-virus program should be able to detect and help you clean-up a Bamital infection on your computer. You can either use the tools that Microsoft recommends, or try Sophos’s free virus removal tool.

It’s great to see life being made more difficult for the cybercriminals, and this action bringing down the botnet has to be applauded. When the computer security authorities and law enforcement agencies work together, we can really raise the heat on the bad guys.

Ultimately, however, the most important thing will be to bring the perpetrators to justice – not just bring down their web servers. We need to catch those who write the malware, sell the malware, buy the malware, and those who profit from the botnet.

Unless the culprits are brought to justice, the crimes are likely to continue.

Further reading: Symantec’s technical paper on Bamital [PDF]


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.