Clickbot.A is a botnet designed for industrial and "low-profile" click fraud in syndicated search engines. The bots were first discovered in May 2006. At that time, about a hundred computers were infected, and in just one month the network grew to 100 thousand infected machines. It was significantly improved compared to previous botnets.
Contents
1. Description
2. Speed of infection
3. Operating principle
4. Damage
5. How to protect advertising from botnet attacks
Clickbot.A controlled devices via HTTP using a master bot. Like many other botnets, it consisted of clients (bots) and a master bot, and sent HTTP requests to doorways, redirectors, and search results pages on the site.
The botnet's client was an Internet Explorer helper object. Like other objects, it ran alongside other browser processes and was capable of full access to the web document object model (DOM). It was configured to receive HTTP requests sent by real IE clients, and the work of accessing and parsing web pages was performed automatically.
The master bot was implemented as an HTTP-based web application using PHP scripts and a MySQL database. Many of the sites the operator used to manage the bots, doorways, and redirectors were hosted by compromised ISP hosting accounts.
It is believed that the Clickbot.A operator paid or collaborated on a mutually beneficial basis with the operator of another botnet to inject the Clickbot.A client onto computers that were already part of the third-party botnet.
Once a client registered, a line with this entry would appear in the master bot's administration console. The console, in addition to providing reports on the IP address, time of last connection, number of clicks performed, and client version of all bots connected to it, also allowed the operator to terminate the connection with any client if the latter had any suspicions.
After registration, the bot launched an endless loop, during which it requested a doorway site and a keyword, gained access to the resource, and selected a link to go from the doorway. Experts who analyzed the botnet noticed that the client bot repeated the cycle once every 15 minutes.
The Clickbot.A botnet operator could dynamically change the master bot and use new doorways. If the master bot lost access to the provider's servers, the botnet operator simply instructed all bot clients to switch to using another master bot and continued to deceive advertisers and rake in money.
Even though the bot was set up to conduct a "silent" attack, with each client clicking on ads once every 15 minutes, it did not slow down the computer or significantly affect the machine's performance. Therefore, device owners had no reason to clean their PCs of viruses. That is why the responsibility should have fallen on search engines, advertising platforms, website owners, and other participants in the advertising cycle.
One can only roughly estimate the damage that the Clickbot.A botnet caused to advertisers and advertising platforms. If 100,000 machines performed 20 clicks each, 1 in 10 links on the doorway site led to a page with a Google ad, the bot clicked on the link in one of two cases, and the average cost per click was $0.50 (in 2006), then the upper limit of damage to Google was presumably 100,000 * 20 * 0.1 * 0.5 * 0.5 = 50 thousand dollars.
Google's advertising platform detected all clicks in its advertising system whose behavior pattern matched this botnet and moved them to invalid status.
The service identifies bot transitions by 100 technical and behavioral parameters that correspond to fraudulent patterns. At the moment, the total number of detected bots in our clients' campaigns is about 18 million in Yandex and 8 million in Google.
The Botfaqtor service marks fraudulent clicks made by bots, competitors and random users in Yandex.Metrica by ClientID using a special parameter as invalid and displays them in advertising traffic reports. Based on this parameter, the bid adjustment of the advertising campaign is also updated with the value “-100%“. In Google Ads, exclusions are added to Audiences. That is, in the future, advertisements will not be shown to “caught” bots and other clickers.
Name | Clickbot.A |
Status | Deactivated |
Description | A Trojan-type malware used to carry out click fraud using doorway sites. |
Contents
1. Description
2. Speed of infection
3. Operating principle
4. Damage
5. How to protect advertising from botnet attacks
Description
Clickbot.A is a malicious clickbot from the Trojan family. Its operator acted on behalf of the publisher and created multiple doorway sites at once for monetization through advertising, which the bots clicked.Clickbot.A controlled devices via HTTP using a master bot. Like many other botnets, it consisted of clients (bots) and a master bot, and sent HTTP requests to doorways, redirectors, and search results pages on the site.
The botnet's client was an Internet Explorer helper object. Like other objects, it ran alongside other browser processes and was capable of full access to the web document object model (DOM). It was configured to receive HTTP requests sent by real IE clients, and the work of accessing and parsing web pages was performed automatically.
The master bot was implemented as an HTTP-based web application using PHP scripts and a MySQL database. Many of the sites the operator used to manage the bots, doorways, and redirectors were hosted by compromised ISP hosting accounts.
Speed of infection
In just one month of the botnet's activity, the number of infected machines increased from 100 in May to 100,000 in June. The malware got onto computers by downloading a known Trojan virus that was disguised as a game. After infection, it contacted the master bot, which reported which executable file to download next. The last of the chain of downloaded and executable files was Clickbot.A.It is believed that the Clickbot.A operator paid or collaborated on a mutually beneficial basis with the operator of another botnet to inject the Clickbot.A client onto computers that were already part of the third-party botnet.
Operating principle
To click on ads, the bot from the Clickbot.A network performed the following actions:- Contacted the master bot for registration.
- Received a link to a doorway site.
- Received instructions on what keywords to search for on the site.
Once a client registered, a line with this entry would appear in the master bot's administration console. The console, in addition to providing reports on the IP address, time of last connection, number of clicks performed, and client version of all bots connected to it, also allowed the operator to terminate the connection with any client if the latter had any suspicions.
After registration, the bot launched an endless loop, during which it requested a doorway site and a keyword, gained access to the resource, and selected a link to go from the doorway. Experts who analyzed the botnet noticed that the client bot repeated the cycle once every 15 minutes.
The Clickbot.A botnet operator could dynamically change the master bot and use new doorways. If the master bot lost access to the provider's servers, the botnet operator simply instructed all bot clients to switch to using another master bot and continued to deceive advertisers and rake in money.
Damage
Clickbot.A caused financial losses to advertisers because the ad networks or platforms they were hosted on did nothing to detect and block fraudulent ad clicks.Even though the bot was set up to conduct a "silent" attack, with each client clicking on ads once every 15 minutes, it did not slow down the computer or significantly affect the machine's performance. Therefore, device owners had no reason to clean their PCs of viruses. That is why the responsibility should have fallen on search engines, advertising platforms, website owners, and other participants in the advertising cycle.
One can only roughly estimate the damage that the Clickbot.A botnet caused to advertisers and advertising platforms. If 100,000 machines performed 20 clicks each, 1 in 10 links on the doorway site led to a page with a Google ad, the bot clicked on the link in one of two cases, and the average cost per click was $0.50 (in 2006), then the upper limit of damage to Google was presumably 100,000 * 20 * 0.1 * 0.5 * 0.5 = 50 thousand dollars.
Google's advertising platform detected all clicks in its advertising system whose behavior pattern matched this botnet and moved them to invalid status.
How to Protect Ads from Botnet Attacks
Botfaqtor is a service for protecting advertising campaigns from bots, clickers and other suspicious transitions. It uses machine learning and compares user behavior patterns, based on which it blocks malicious attacks from botnets.The service identifies bot transitions by 100 technical and behavioral parameters that correspond to fraudulent patterns. At the moment, the total number of detected bots in our clients' campaigns is about 18 million in Yandex and 8 million in Google.
The Botfaqtor service marks fraudulent clicks made by bots, competitors and random users in Yandex.Metrica by ClientID using a special parameter as invalid and displays them in advertising traffic reports. Based on this parameter, the bid adjustment of the advertising campaign is also updated with the value “-100%“. In Google Ads, exclusions are added to Audiences. That is, in the future, advertisements will not be shown to “caught” bots and other clickers.