Botnet has ties to click fraud and Facebook’s Fan Check scare

by Steve Ragan - Sep 18 2009, 17:00

Researchers have discovered a botnet with ties to both massive click fraud as well as the recent Fan Check scare that targeted the popular Facebook application. Dubbed the Bahama Botnet, the team at Click Forensics say that the botnet uses methods to mask itself as a legitimate high-quality source of search advertising traffic.

Bahama Botnet got its name because of how it was first detected. Researchers at Click Forensics discovered it redirecting traffic through some 200,000 parked domains located in the Bahamas. Since it was initially discovered however, traffic is being redirected through other sites hosted in Amsterdam, Netherlands, the United Kingdom, and San Jose, California.

“What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong.  Additionally, it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries,” wrote Steve O’Brien, on the Click Forensics blog.

“And because the queries come from many different machines (IPs) across a broad segment of the Internet population, it is very difficult to find and identify these clicks as fraudulent,” he added.

Click Forensics’ research was able to tie the Bahama Botnet to links that helped spread Rogue anti-Virus when users were searching for information about the Fan Check Virus earlier this month. Moreover, the botnet itself has drained advertising budgets, as it is reported to be responsible for massive click fraud, sometimes killing up to 30-percent of an advertiser’s budget.

"During the past four years we've monitored billions of clicks for top search engines, ad networks, publishers and advertisers. This scheme is one of the most sophisticated we've seen," said Paul Pellman, CEO of Click Forensics.

"The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines." 

During onsite testing, Click Forensics has found only one antivirus program out of the 20 most popular ones capable of identifying and removing the malicious software responsible for bringing PCs under the control of the botnet.

As a result, Click Forensics has reached out to security vendors like Symantec and McAfee for help removing the Malware. They are also cooperating closely with top ad networks, search engines, advertisers, and online publishers to ensure that traffic from the botnet is properly identified.

Around the Web