Bamital Trojan – Pay Per Install (Sept 3, 2010)


SonicWALL UTM Research team observed reports of Bamital Trojan Installer being distributed in the wild as part of Pay-Per-Install campaign by the malware authors.

Bamital Trojan family is known to monitor user browsing activity, modify internet search results and display advertisements generating revenue for the malware authors. SonicWALL is seeing an increase in the number of Bamital infected executable files starting early August.

A forum posting was seen on yesterday that advertised revenue sharing per installations i.e. infections of Bamital Trojan (The post has been removed now). As seen in the image below, they assign a numeric ID to the users signing up and provide a binary based on that user ID which can be used to track the number of installations. Malware authors are offering up to 800$ per 1000 infections which gives an indication of the amount of money they are making out of it.


The domain advertised in the post is of Russian origin and is actively serving Bamital Trojan Installer at the time of writing this alert. The malicious installer executable performs following activities upon execution:

  • Disables the System Restore functionality by modifying the registry
  • Creates following files on the infected system:
    • (WINDOWS)Tempexplorer.dat [Original version of system explorer.exe]
    • (WINDOWS)Tempwinlogon.dat [Original version of system winlogon.exe]
    • (WINDOWS)system32hlp.dat [Encrypted file containing data & code used during runtime]
    • (Application Data)Windows Serveradmin.txt
    • (Application Data)Windows Serverserver.dat[Encrypted file containing data & code used during runtime]

  • Injects code into windows system executables Explorer.exe and Winlogon.exe. The malicious code is injected at the entry point in these system executables and it looks like:
  • screenshot

  • The Trojan now monitors the user’s web browsing activity via a hook in Explorer.exe. The Trojan then tries to modify the web search results for any search query done via affected web browsers.
  • screenshot

  • It deletes the original Installer file that was executed.

SonicWALL Gateway AntiVirus provides protection against this Trojan via following signatures:

  • GAV: Bamital.DZ (Trojan)
  • GAV: Suspicious#bamital (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.