New Bahama botnet evades search engines, fuels click fraud

Researchers at Click Forensics Inc. have discovered a new botnet that is evading search engines and is responsible for a rise in click fraud traffic and a popup adware scheme distributing rogue antivirus.

Named the Bahama botnet, because it initially redirected traffic through 200,000 parked domains located in the Bahamas, it is using sophisticated methods to elude detection by search engine filters. is responsible for a rise in Google search results that send visitors through several ad network redirects sometimes linking to malware infected sites. Some of the malicious links point to rogue antivirus programs that install malware onto victim's machines, turning them into automated click fraud generators. The scheme is believed to be tied to the same cybercriminal organization responsible for the the adware campaign that affected advertisements on The New York Times website last weekend.

"The pattern of attack they're using is specifically designed to elude ad networks and they're doing it very successfully," said Matt Graham, a risk analyst at Click Forensics. "It's one of the most sophisticated attacks I've ever seen; mostly because of how good it looks and the quality of traffic it produces."

Click Frau

d has become a highly sophisticated scheme bilking millions from online advertisers in recent years. The problem has become so pervasive that search engine giants Google, Yahoo and most recently Microsoft have started taking action. In June, Microsoft filed a civil lawsuit against three people for their role in a massive click fraud campaign that included targeting ads on the popular online role playing game, World of Warcraft.

Graham posted a YouTube video Thursday showing how the Bahama botnet works. He said the botnet continues to elude search engine and ad network filters because it is generating paid clicks by using normal user behavior to transform an organic search into a paid click. For example, once a user clicks on a search engine result link to Dell.com they are sent through several ad networks in the background before arriving at Dell.com.

"The filters aren't sensitive enough to detect the botnet traffic from organic traffic," Graham said. "It only hijacks certain queries so it doesn't force a lot of traffic through a particular ad network."

As a result, search engine and ad network filters don't see any huge volume spikes because the attackers are hijacking individual user queries and the keywords look natural and organic, Graham said.

In addition it also uses networks of zombie machines that it infected to auto generate paid clicks with no human interaction. The botnet has been so successful that it is responsible for affecting up to 30% of an advertiser's monthly search budget for a specific campaign, according to Click Forensics.

Graham said the traffic and methods used by the botnet suggests it is identical to the adware campaign that affected advertisements on the NYTimes.com website last weekend. Both attacks called on the same IP address to authenticate, which suggests its under control by the same criminal gang, Graham said.

Security consultant Dancho Danchev wrote in a recent blog entry that evidence suggests the NYTimes.com's problems likely stem from a Ukranian organized cybercriminal gang known as the "fan club."

The Bahama botnet has since been reprogrammed to redirect traffic through other intermediate sites hosted in Amsterdam, Netherlands; the United Kingdom; and San Jose, Calif.

In its tests, Click Forensics said it found that only one antivirus program out of 20 popular ones are capable of identifying and removing the malicious malware program responsible for bringing PCs under the control of the botnet. The company has contacted antivirus vendors as well as top ad networks and search engines to identify the nefarious traffic from the botnet.