Comments on: Microsoft, Symantec Hijack ‘Bamital’ Botnet

By: Paul

Paul — Mon, 11 Feb 2013 20:53:41 +0000

I agree that references to the IP address the MS put up or other details about the remote networks used by the malware for C&C would be helpful so we can load up our SIEM’s and do some validation across the enterprise. I reviewed the court order linked in Brian’s article – however the appendices which listed domains / IP’s were not included. I then went to symantec and checked on malware technical details – discovered the following:

1. Microsoft owns this ip 199.2.137.138/32 and 90% of the domains referenced by Symantec resolve to this address – hence that’s the address that MS is using to sinkhole this thing (assumption only)
2. Several other IP’s were referenced by Symantec, which aren’t owned by MS 46.4.31.134/32,202.141.12.3/32,50.63.202.12/32
202.141.12.3/32,202.141.12.3/32,64.74.223.34/32
212.154.192.98/32,195.22.26.231/32,108.59.3.131/32

I’m adding all these to my SIEM so I can get alerted if computers in our org end up going there. Doesn’t mean it’s malware but w/o any other information – it’s all I have to go on.

By: Lisa

Lisa — Mon, 11 Feb 2013 02:51:37 +0000

If you do not know your computer has been compromised how can you help with the next security features needed. Innovation is the key, along with layers, and layers of safety!!

By: KFritz

KFritz — Sun, 10 Feb 2013 06:47:06 +0000

Y’ call it a p’otection racket. Y’ know whadI mean?

Fuhgedaboudit.

By: Scarab

Scarab — Fri, 08 Feb 2013 14:44:09 +0000

I wish readers were more knowledgeable in the subjects they read about. You trust Microsoft for your operating system and allow auto updates but you’re weary of an automated botnet removal tool from MS?

By: Mark Dowling

Mark Dowling — Fri, 08 Feb 2013 13:52:02 +0000

I would hope it’s the latter. If a user can work around it where’s the strong incentive to scan their machine not only for Bamital but other compromises?

By: BrianKrebs

BrianKrebs — Thu, 07 Feb 2013 23:03:42 +0000

Hi Terry. Haven’t seen you in a while. Welcome back. The date is not standard, to be sure, because it confuses a lot of people. The day in the date box at the top left of every story is the big number on top. The month, and then year.

By: Cody

Cody — Thu, 07 Feb 2013 22:58:43 +0000

For finding Bamital manually, it is very simple. You just need to check 3 files on your PC using an online sandbox like: http://www.virustotal.com

- C:\Windows\explorer.exe
- C:\Windows\system32\svchost.exe
- C:\Windows\system32\winlogon.exe

Virustotal will tell you very clearly whether the file is infected and with what. As far as manual removal goes, you are not going to have an easy time with that. Manual removal for this infection is not recommended as Bamital is a file-infector, and the files it infects are necessary for Windows to function properly.

By: Richard Steven Hack

Richard Steven Hack — Thu, 07 Feb 2013 21:52:54 +0000

I think the point he was trying to make is that much of the time we don’t know what the tool is doing.

We don’t need to inspect the source code. We just need some documentation as to what the tool is doing, in case it screws up.

For instance, running Combofix is considered “at your own risk” – but there is ZERO documentation as to what it’s doing when it runs through its fifty or more “steps”. That makes me as a tech support guy nervous. If it fries the client’s computer, I’m going to get blamed especially if I had no idea what it did.

By: Terry Bowden

Terry Bowden — Thu, 07 Feb 2013 21:49:30 +0000

Just wondering why this is dated as futuristic – Feb 13.

I wonder when the elephants are going to gain attention – over 50% of spam comes from Cutwail 1, Cutwail 4 and Lethic. See
https://www.trustwave.com/support/labs/spam_statistics.asp

By: Anti DDoS

Anti DDoS — Thu, 07 Feb 2013 19:32:41 +0000

Wow, over 22% of pay-per-clicks was fraud in 2012. This is not good to for people using AdWords and Bing Ads. At least, they stopped that botnet.. but is there more running? could it be 50%? scary.