If you thought the “rise of the machines’ was only for sci-fi movies, think again. The rise of the machines has started: Software machines that is. All the way back in 2011, Marc Andreessen, famously wrote “Why Software Is Eating The World” in the Wall Street Journal – he was of course speaking of the ‘good’ software, such as Facebook, LinkedIn, Groupon and more. Unfortunately, with every ‘good’ software, there seems to be a ‘bad’ software. If this sounds like a movie script, it is not. It is the reality of click fraud botnets.
A botnet is a network of compromised computers – computers that have been compromised with malicious software – also known as zombies. Botnets are probably the most widely known tool in the click fraud perpetrator’s toolkit. Bot programs are secretly installed on computers by means of worms, backdoors, Trojan horses, viruses, or other forms of malware. Upon infection, the bot herder, e.g. the fraudster in charge of the botnet, has nearly full control over the infected computer. We will provide a quick summary of two infamous click fraud bots:Ramdo and ZeroAccess to help you understand the risks associated with these Bots.
Ramdo – Still Alive and Clicking
“Unit 42 and Dell Secureworks Counter Threat Unit find click–fraud Ramdo malware family continues to plague users.” Ramdo is a family of malware that performs fraudulent website ‘clicks.’ Ramdo malware activity first surfaced in late 2013 and has since continued to infect machines worldwide. Before any network activity is performed, Ramdo will check to see if it is running within a virtualized environment. The CTU blog post further explains how this occurs. Should Ramdo discover it is running in a virtualized environment, the seeds used for subsequent domain name generation are altered, resulting in connections to incorrectly generated domain names. Ramdo then attempts to determine if it is connected to the Internet by making a simple HTTP request.
If Ramdo determines it is connected to the Internet, it proceeds to generate a domain. The distributor of this malware can easily change these links to whatever ad-generating URLs he or she wishes.
ZeroAccess-“coughs back to life.”
ZeroAccess was another piece of malicious software that was thought to have been defeated.
The computers that make up the botnet – from servers, desktop PCs and in some cases even phones– are recruited in secret using malicious software.
Once they’re part of a botnet computers can be tasked with a range of activities, most commonly sending out huge volumes of spam and malware.
A principle focus for ZeroAccess was click fraud – the act of making money illegally by clicking on your own PPC (Pay Per Click) adverts.
At its height the ZeroAccess botnet had roped in millions of victims and was costing online advertisers an estimated $2.7 million USD per month. The botnet controller can see the PC being used on his or her controller dashboard. Then, the malware reproduces the mouse activity that the human searcher did on previous web pages, and clicks on an ad.
What can be done to prevent click fraud?
The team at Clickfrauds developed an algorithm that monitors your traffic live and responds to potential threats as they occur with the AdWords API. Instead of just sending you an email notification about the threats, our system automatically excludes the perpetrating IP addresses from your AdWords account. In addition, our system continually performs cross account analysis to identify problematic IP addresses that could potentially threaten your account as well. Once a click fraud performing IP address has been identified within multiple accounts, it is then marked as blacklisted. A blacklisted IP address is added to the blocked IP list for all of the accounts that our system monitors, saving these accounts from potential click fraud activity. Our system helps eliminate the threat of BotNets and keeps you and your business protected.