Microsoft and Symantec researchers busted into two data centers in New Jersey and Virginia today to shut down servers associated with a botnet called Bamital.

The companies had an order from the U.S. District Court in Alexandria, Va., according to Reuters, allowing them to enter the data centers. Those at the New Jersey facility seized one of the servers and shut it down. Others in Virginia convinced workers to contact their Netherlands-based parent company and shut down a server there.

The botnet secretly used victim’s computers to steal advertising revenue. The victims didn’t know this was going on until their computers were suddenly unable to search the Internet. Microsoft and Symantec say those people were served with a message that read, “You have reached this website because you computer is very likely to be infected by malware that redirects the results of your search queries. You will receive this notification until you remove the malware from your computer.” It then offered ways to do so.

Bamital is believed to have infected somewhere between 600,000 and 900,000 computers. Microsoft and Symantec are confident they’ve shut down the entire botnet, but notes that only “time will tell,” according to Microsoft’s Digital Crimes Unit’s associate general counsel Richard Boscovich who spoke with Reuters.

This isn’t Microsoft’s first go-around at taking down a botnet, however. In 2011, the company took down the Kelihos botnet, which is small by comparison at on 41,000 infected computers. At the time Microsoft said, however, that the botnet was capable of sending out over 3.8 billion spam emails a day. Microsoft also named suspected perpetrators behind the botnet including a man named Dominique Alexander Piatti.

Later, in 2012, a second and bigger Kelihos botnet was found in the wild. It was subsequently shut down by Russian security firm Kaspersky Lab.

Batman image via kevin dooley/Flickr

The FBI arrested 10 people associated with the a crime ring pushing the malware Yahos, according to an announcement today, saying the malware affected over 11 million people. Facebook’s security team helped the FBI by identifying both the criminals and the victims.

Yahos is a type of malware that steals bank account information, credit card numbers, and other personally identifiable information to siphon off money from its victims. Various criminals using Yahos have also created botnets to distribute the malware. The botnet Butterfly was shut down in connection to these arrests after lifting over $850 million from people around the world.

Facebook became involved in the fight after botnets also targeted the social network. As Ars Technica notes, the botnet spammed Facebook users with links leading to the malware. The malware then pretended to be a video plugin that needed installing. According to the FBI, Facebook was able to detect the infections, alert users, and otherwise “provide tools” for them to use in clean up. It was affected between 2010 and October 2012, which may indicate that the botnet was quietly shut down that month.

The 10 arrested individuals came from a number of different countries including the United States, Boznia and Herzegovina, Croatia, Macedonia, the United Kingdom, New Zealand, and Peru.

The FBI went on the recommend that consumers turn off a computer’s Internet access when it is not in use to minimize the risk of unwanted activity.

We have reached out to Facebook and will update upon hearing back.

Dead butterfly via jimmiehomeschoolmom/Flickr

Increasingly, says Henry, the F.B.I. came across stolen information during the course of one investigation which revealed that another corporate network had been breached for months or even years without the company in questions having any idea they were ever under attack. We reported earlier this month on the 100 million people whose data was breached by Anonymous this year. But its seems increasingly clear that the hacking attacks which are made public are just the tip of the iceberg.

For example, testimony this Monday in front of Congress by the security firm Mandiant revealed that in the majority of cases traced back to Chinese hackers, the average company was unaware of the problem for 416 days before being alerted to the problem, often by a third-party security firm.

This grim portrait explains why some companies are getting more creative. VentureBeat chatted a bit yesterday with Richard Boscovich, the senior lawyer in Microsoft’s digital crimes division who led the Microsoft’s recent raids on the Zeus botnet. He says that big companies need to step up and plug the gap left by law enforcement and traditional corporate security. “We’re very lucky because our legal department is very forward thinking and allows us to get creative in order to address what is a rapidly growing problem,” Boscovich said.

Boscovich was actually waiting in a courthouse for a trail to begin and overheard a case being brought by a handbag manufacturer against a counterfeit ring. “I realized that we could use the same principles laid down in the Lanham Trademark Act of the 1940s to go after the botnet armies that use Microsoft’s name to further their malicious email.”

The actual criminal gangs behind the Zeus botnet are believed to be located overseas, but Boscovich says the idea is to change the ecosystem at home. “When we shut them down here, it makes it more expensive to do business. We can’t eliminate the threat entirely, but hopefully we can get to a point where crime doesn’t pay like it used to.”

Image via Flickr user altermark

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Last week Symantec reported 13 potentially malware-carrying Android applications, that it said may make up a family of botnets. Mobile security firm Lookout Mobile, however, is now saying the apps are just an advertising network.

“We disagree with the assessment that this is malware, although we do believe that the Apperhand SDK (Android.Counterclank) is an aggressive form of ad network and should be taken seriously,” said Lookout Mobile in a blog post.

On Friday, Symantec found a number of gaming and explicit-content applications that it claimed was from the the Android.Counterclank family. Android.Counterclank bares a resemblance to Android.Tonclank, which has been defined as a botnet string. Botnets steal information from your devices and then use them to infect and control other devices in comes in contact with. At the time, however, Lookout Mobile did not agree and said while it wasn’t sure what these applications were, they were not malicious as Symantec had suggested.

“Malware is defined as software that is designed to engage in malicious behavior on a device,” Lookout said, “Apperhand doesn’t appear to be malicious, and at this point in our investigation, this is an aggressive form of an ad network – not malware.”

It’s hard to tell the different between spam and the real thing. Sometimes spam can be malicious, with links that download software to your device, or steal your personal information. Some spam, however, exists only as an annoyance. It interrupts your activities, makes you pay attention to something unwanted, and can sometimes go over the top in the ways it gets your attention. That’s exactly what Lookout Mobile is defining this string of applications as: aggressive advertising.

Apperhand skates on the line of what is an accepted intrusion from an advertisement. The applications do identify your device in its servers, but it does not collect other data. It also able to send push notifications to your phone, what some call the “pop-up window of mobile.” These are annoying because, like a pop-up, they really do disturb your activity and force you to take an action. Regular advertisements usually sit at the bottom or top of an application and does not interrupt the application itself.

It is also capable of downloading an icon to your mobile desktop, which is where Apperhand skates much closer to the line. According to Lookout, this icon leads to a web search tool, which only provides safe content. It is still capable of downloading unwanted content to your phone, however, which is a form of spam. Lastly, Apperhand can download bookmarks to your mobile browser, which is over the line for Lookout. Browser bookmarks and toolbars in PCs can be very dangerous, and act as an easy gateway for malware. It seems, however, that this is not the use case for Apperhand, though it should be watched.

Both Symantec and Lookout are continuing research into these applications, especially as previous forms of Apperhand were labeled as dangerous. Some of the apps identified by Symantec have been taken down from the Android app store already, but Lookout warns that this may be for other reasons such as copyright infringement.

Spam photo via Shutterstock

July 9-10, 2013
San Francisco, CA

Early Bird Tickets on Sale

Symantec claims to have found a string of “malicious” applications in the Android app store that resemble botnets.

According to a blog post by the company, these applications are pushing out a type of malware called Android.Counterclank, which is said to be related to a botnet-like virus called Android.Tonclank. Botnets generally extend from a commanding device, which then takes control of other devices via spam messages. On mobile, this control can be achieved through malicious applications.

Symantec says that Android.Counterclank has already affected 1000′s and considers its damage level to be a “medium,” for stealing personal information off of the phone. Thus far the company has isolated 13 potentially harmful applications in the Android Marketplace. The majority of which seem to be gaming applications as well as porn or applications with explicit content.

Mobile security firm Lookout Mobile, however, does not believe these applications to be malicious or botnet-like.

“Some companies are calling this a botnet or malware. Lookout has some concerns about the functionality, however at this time, and as far as we can tell, it does not meet the standard to be classified as malware or a ‘bot,’” said a Lookout Mobile spokesperson in an e-mail. “Consumers should take these apps very seriously as they appear to tread on privacy lines, but they are not necessarily malicious.”

Mobile botnets recently made Lookout Mobile’s threat predictions for 2012. The tactic thankfully hasn’t been used to its full potential yet, but some small scale botnets have already been detected. In 2011, Lookout Mobile found a botnet string called Geinimi originating out of China. This malware was able to receive commands from a remote server, as well as extract information from your phone, and attempt to infect others using your phone.

The company also warns that most common carriers of mobile malware are gaming and porn applications, which make up Android.Counterclank’s roster. See Symantec’s list of infected apps below:

Microsoft has accused a Russian former anti-virus software developer of creating the Kelihos botnet, which sent out 3.8 billion spam messages every day in its prime.

Andrey Sabelnikov, who currently lives in St. Petersburg, Russia, was once a “software engineer and project manager at a company that provided firewall, antivirus and security software,” according to Microsoft’s amendment (PDF) to its original complaint with the U.S. district court in Virginia. Sabelnikov currently works for a software development and consulting firm as a freelancer. Microsoft alleges that software associated with the control of Kelihos identifies Sabelnikov as creator, operator, and controller of the botnet.

“Microsoft is informed and believes and thereupon alleges that Defendant wrote and/or participated in creating the harmful computer software that constitutes the Kelihos botnet,” Microsoft wrote in the amended complaint. “Defendant has used the software to control, operate, maintain and grow the Kelihos botnet, by among other things, infecting innocent users’ computers.”

Microsoft took down the Kelihos botnet in September, which had around 41,000 computers under its control. The discovery and eventual removal was done as a part of MARS (Microsoft Active Response for Security) program, created with its cyber crime unit to protect the internet as a whole. At the time, Microsoft was proud to name defendants, Alexander Piatti and 22 “John Does,” charged with owning “cz.cc” domains used to infiltrate to-be drone computers.

Sabelnikov allegedly purchased 3,723 of these “cz.cc” subdomains from Piatti and used them to operate Kelihos.

Kelihos-controlled computers in Virginia

Though Kelihos is actually a botnet on the smaller side, Microsoft is pursuing the case to show domain owners there needs to be more responsibility for who is sold subdomains. The company uses the example of pawn shops in a blog post. Pawn shop owners require a name, address and other identifying pieces of information from those who wish to pawn an item. That way if something goes wrong or if the item is found to be stolen, the seller can be contacted. Domain owners, however, are not held to similar standard and are looser in who can use their subdomains.

“Currently no requirements necessitating domain hosts to know anything about the people using their subdomains,” said Richard Domingues Boscovich, a senior attorney in Microsoft’s Digital Crimes Unit, “Making it easy for domain owners to look the other way.”

hat tip The Verge

Botnets are groups of malware-infected computers that are used for malicious activities, such as sending spam, stealing personal information, launching hacker attacks, and infecting other computers with viruses. They are so hard to defeat because there are so many infected machines.

Kaspersky’s anti-virus software identifies the botnet as TDSS. “TDSS uses a range of methods to evade signature, heuristic, and proactive detection, and uses encryption to facilitate communication between its bots and the botnet command and control center,” Golovanov wrote earlier this week. “TDSS also has a powerful rootkit component, which allows it to conceal the presence of any other types of malware in the system.”

The TDL-4 botnet started hitting computers in 2008, and it goes undetected because it infects the master boot record of a computer. This means the operating system and security software can’t detect it because the infection is so deep. It’s also strong because it has its own “anti-virus” that prevents other botnets from taking it over.

Add this to the the fact that the TDL-4 uses a decentralized peer-to-peer (P2P) network to operate and you have yourself a practically “indestructible” botnet, according to Golovanov.

People can unwittingly infect their computers with a botnet by downloading something that appears harmless, such as a humorous video or picture. The infected file is usually attached to something inane and could easily be via e-mail, so it’s important to have active security software to scan all of your downloads.