Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: CLICKbot - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CLICKbot

With pay per click programs such as Google Adsense, there is another way to earn money from advertisers by building a scam where the money flows like this:

  • The advertisers pay Google for clicks in the hope to sell something.
  • Google has a bunch of publishers that own a website and run banners for them. Google pays (a high percentage) of the revenue to the publisher.
  • Some of these publishers aren't honest, but Google (tries to) detects fraudulous clicks and suspends them, so they need to hide the additional clicks better.
  • Somebody with a botnet generates the clicks from a few hundred machines and makes sure they look as innocent as possible. Keeps it a low profile while at it. Of course the botnet owner will want a share from the publisher.

Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

While some of the *.exe's were detected pretty well, this one stood out [Virustotal results]:

AntiVir 6.34.1.27/20060514          found [TR/Drop.Small.ann.1]
Avast 4.6.695.0/20060512        found nothing
AVG 386/20060512     found nothing
BitDefender 7.2/20060514    found nothing
CAT-QuickHeal 8.00/20060512   found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060512 found nothing
DrWeb 4.33/20060514   found [Adware.IEHelper]
eTrust-InoculateIT 23.72.7/20060512 found nothing
eTrust-Vet 12.4.2207/20060512       found nothing
Ewido 3.5/20060513    found [Hijacker.BHO.d]
Fortinet 2.76.0.0/20060514        found [suspicious]
F-Prot 3.16c/20060512  found nothing
Ikarus 0.2.65.0/20060512        found nothing
Kaspersky 4.0.2.24/20060514        found [Trojan-Dropper.Win32.Small.ann]
McAfee 4761/20060512   found nothing
Microsoft 1.1372/20060513 found nothing
NOD32v2 1.1536/20060513 found nothing
Norman 5.90.17/20060512          found nothing
Panda 9.0.0.4/20060513           found [Suspicious file]
Sophos 4.05.0/20060513 found nothing
Symantec 8.0/20060514    found nothing
TheHacker 5.9.7.142/20060512       found nothing
UNA 1.83/20060512    found nothing
VBA32 3.11.0/20060513 found nothing

It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

It's been reported to Google in order to make sure nobody gets paid.

--
Swa Frantzen - Section 66
Swa

760 Posts

Sign Up for Free or Log In to start participating in the conversation!