New Bahama botnet evades search engines, fuels click fraud

By Robert Westervelt, News Editor 18 Sep 2009 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

Researchers at Click Forensics Inc. have discovered a new botnet that is evading search engines and is responsible for a rise in click fraud traffic and a popup adware scheme distributing rogue antivirus.

Named the Bahama botnet, because it initially redirected traffic through 200,000 parked domains located in the Bahamas, it is using sophisticated methods to elude detection by search engine filters. The botnet is responsible for a rise in Google search results that send visitors through several ad network redirects sometimes linking to malware infected sites. Some of the malicious links point to rogue antivirus programs that install malware onto victim's machines, turning them into automated click fraud generators. The scheme is believed to be tied to the same cybercriminal organization responsible for the the adware campaign that affected advertisements on The New York Times website last weekend.

"The pattern of attack they're using is specifically designed to elude ad networks and they're doing it very successfully," said Matt Graham, a risk analyst at Click Forensics. "It's one of the most sophisticated attacks I've ever seen; mostly because of how good it looks and the quality of traffic it produces."

Click Fraud: Microsoft cracks down on click fraud ring: Fraudsters used a click farm to simulate hundreds of thousands of clicks for specific advertisements. Experts say click fraud threatens the online advertising industry. Security Blog Log: Yahoo's click-fraud problem: Security bloggers examined Yahoo's relationship with adware vendors. ISP shutdown latest cat-and-mouse game with hackers: Investigators who shut down the 3FN.Net indicated it was responsible for hosting widespread click fraud campaigns. It signaled that the private sector and the government are serious about illegal activity.

Click Fraud has become a highly sophisticated scheme bilking millions from online advertisers in recent years. The problem has become so pervasive that search engine giants Google, Yahoo and most recently Microsoft have started taking action. In June, Microsoft filed a civil lawsuit against three people for their role in a massive click fraud campaign that included targeting ads on the popular online role playing game, World of Warcraft.

Graham posted a YouTube video Thursday showing how the Bahama botnet works. He said the botnet continues to elude search engine and ad network filters because it is generating paid clicks by using normal user behavior to transform an organic search into a paid click. For example, once a user clicks on a search engine result link to Dell.com they are sent through several ad networks in the background before arriving at Dell.com.

"The filters aren't sensitive enough to detect the botnet traffic from organic traffic," Graham said. "It only hijacks certain queries so it doesn't force a lot of traffic through a particular ad network."

As a result, search engine and ad network filters don't see any huge volume spikes because the attackers are hijacking individual user queries and the keywords look natural and organic, Graham said.

In addition it also uses networks of zombie machines that it infected to auto generate paid clicks with no human interaction. The botnet has been so successful that it is responsible for affecting up to 30% of an advertiser's monthly search budget for a specific campaign, according to Click Forensics.

SearchSecurity radio:

Graham said the traffic and methods used by the botnet suggests it is identical to the adware campaign that affected advertisements on the NYTimes.com website last weekend. Both attacks called on the same IP address to authenticate, which suggests its under control by the same criminal gang, Graham said.

Security consultant Dancho Danchev wrote in a recent blog entry that evidence suggests the NYTimes.com's problems likely stem from a Ukranian organized cybercriminal gang known as the "fan club."

The Bahama botnet has since been reprogrammed to redirect traffic through other intermediate sites hosted in Amsterdam, Netherlands; the United Kingdom; and San Jose, Calif.

In its tests, Click Forensics said it found that only one antivirus program out of 20 popular ones are capable of identifying and removing the malicious malware program responsible for bringing PCs under the control of the botnet. The company has contacted antivirus vendors as well as top ad networks and search engines to identify the nefarious traffic from the botnet.

Tags: Web Application and Web 2.0 Threats,  Web Application Security,  Web Browser Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Application and Web 2.0 Threats CISOs take measured steps to reduce social media risks Torrent phishing scheme trips up Twitter users Browser exploit kit probe highlights need for patching, vigilance Attackers continue barrage of SEO attacks Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Facebook attacks prompt investments in social networking security PDF attack code complicates security analysis, skirts detection Adobe warns of critical Flash Media Server vulnerability Firefox, Opera, Safari browsers top list of high risk software Web Application Security Attackers zero in on Web application vulnerabilities Self-defending Web applications thwart attacks Facebook, McAfee partner to fix social network security issues Web application attacks security guide: Preventing attacks and flaws Using unique device identification for bank website security Information security book excerpts and reviews Black box and white box testing: Which is best? InZero Systems launches hardware-based security gateway Web application vulnerability assessment shows patching progress Preventing SQL injection attacks: A network admin's perspective Web Browser Security Microsoft warns that IE zero-day vulnerability causes data leakage Browser exploit kit probe highlights need for patching, vigilance Google to pay for Chrome browser vulnerabilities Attackers continue barrage of SEO attacks Microsoft emergency IE update to block latest corporate attacks Facebook, McAfee partner to fix social network security issues Firefox, Opera, Safari browsers top list of high risk software Mozilla fixes Firefox critical memory corruption errors FBI estimates rogue antivirus losses exceeding $150 million Adobe updates Flash Player, fixes seven serious vulnerabilities Web Browser Security Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary content filtering  (SearchSecurity.com) Web filter  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary