New Bahama botnet evades search engines, fuels click fraud

By Rob Westervelt, News Editor 22 Sep 2009 | SearchSecurity.in

Digg This!     StumbleUpon     Del.icio.us

Researchers at Click Forensics Inc. have discovered a new botnet that is evading search engines and is responsible for a rise in click fraud traffic and a popup adware scheme distributing rogue antivirus.

Named the Bahama botnet, because it initially redirected traffic through 200,000 parked domains located in the Bahamas, it is using sophisticated methods to elude detection by search engine filters. is responsible for a rise in Google search results that send visitors through several ad network redirects sometimes linking to malware infected sites. Some of the malicious links point to rogue antivirus programs that install malware onto victim's machines, turning them into automated click fraud generators. The scheme is believed to be tied to the same cybercriminal organization responsible for the the adware campaign that affected advertisements on The New York Times website last weekend.

"The pattern of attack they're using is specifically designed to elude ad networks and they're doing it very successfully," said Matt Graham, a risk analyst at Click Forensics. "It's one of the most sophisticated attacks I've ever seen; mostly because of how good it looks and the quality of traffic it produces."

Click Fraud has become a highly sophisticated scheme bilking millions from online advertisers in recent years. The problem has become so pervasive that search engine giants Google, Yahoo and most recently Microsoft have started taking action. In June, Microsoft filed a civil lawsuit against three people for their role in a massive click fraud campaign that included targeting ads on the popular online role playing game, World of Warcraft.

Graham posted a YouTube video Thursday showing how the Bahama botnet works. He said the botnet continues to elude search engine and ad network filters because it is generating paid clicks by using normal user behavior to transform an organic search into a paid click. For example, once a user clicks on a search engine result link to Dell.com they are sent through several ad networks in the background before arriving at Dell.com.

"The filters aren't sensitive enough to detect the botnet traffic from organic traffic," Graham said. "It only hijacks certain queries so it doesn't force a lot of traffic through a particular ad network."

As a result, search engine and ad network filters don't see any huge volume spikes because the attackers are hijacking individual user queries and the keywords look natural and organic, Graham said.

In addition it also uses networks of zombie machines that it infected to auto generate paid clicks with no human interaction. The botnet has been so successful that it is responsible for affecting up to 30% of an advertiser's monthly search budget for a specific campaign, according to Click Forensics.

Graham said the traffic and methods used by the botnet suggests it is identical to the adware campaign that affected advertisements on the NYTimes.com website last weekend. Both attacks called on the same IP address to authenticate, which suggests its under control by the same criminal gang, Graham said.

Security consultant Dancho Danchev wrote in a recent blog entry that evidence suggests the NYTimes.com's problems likely stem from a Ukranian organized cybercriminal gang known as the "fan club."

The Bahama botnet has since been reprogrammed to redirect traffic through other intermediate sites hosted in Amsterdam, Netherlands; the United Kingdom; and San Jose, Calif.

In its tests, Click Forensics said it found that only one antivirus program out of 20 popular ones are capable of identifying and removing the malicious malware program responsible for bringing PCs under the control of the botnet. The company has contacted antivirus vendors as well as top ad networks and search engines to identify the nefarious traffic from the botnet.

Tags: Email and instant messaging threat defenses,  Viruses, worms, spyware, and other malware,  Application and Web threat defenses,  Threat Monitor,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Email and instant messaging threat defenses FTIL tackles Web 2.0 security threats with content filtering UTM buying essentials for India Inc. Understand role-based access control in Microsoft Exchange 2010 Pushdo botnet uses Facebook to spread malicious email attachment Hosted email security frees ACPL's bandwidth Next generation spam: New threats and new technologies How to prevent brute force webmail attacks Chained Exploits: How to prevent phishing attacks from corporate spies Economy fuels malware, spam How can 419 scam emails and backscatter spam be stopped? Viruses, worms, spyware, and other malware Clientless SSL VPN vulnerability and Web browser protection Cloud Security Alliance releases top cloud computing security threats Zeus Trojan continues reign infecting 74,000 PCs in global botnet Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look Configuring a Windows network infrastructure: Wired, wireless security A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage Two factor authentication thwarts identity theft at Bank of India Microsoft issues advisory on Internet Explorer zero-day Application and Web threat defenses Clientless SSL VPN vulnerability and Web browser protection 11 application security tweaks for a secure SDLC Fraudulent mobile applications will threaten mobile banking security Mobile Reputation Security prototype from Symantec: A closer look A botnet and rootkit removal 101 Microsoft warns that IE zero-day vulnerability causes data leakage What to do with network penetration test results Network discovery and the Simple Network Management Protocol Protecting enterprise networks from new mobile application downloads Microsoft issues advisory on Internet Explorer zero-day

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary active man-in-the-middle attack  (SearchSecurityIN.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary