Neil Matthews from Fraudulent Clicks presents a guest post on Google's analysis of ClickBot,A, a software bot which launches click fraud attacks.
Deep inside area 51 at Google's HQ in Mountain View California an autopsy of an alien invader was performed by highly skilled technicians.
Only joking, what really happened was that a piece of malicious click fraud software known as ClickBot.A was dissected and a white paper on it's modus operandi was created by Neil Daswani and Michael Stoppelman of the Google click quality team.
The paper entitled The Anatomy of Clickbot.A can be downloaded for review, but this post aims to take what is a highly technical piece and summarize it for people without a doctorate in computer science.
Google quite smugly start their report by saying all invalid clicks performed by this particular bot are captured by the search engine's invalid click filtering systems. The reason for dissecting the clickbot and publishing the results was to educate the wider security community on the threat posed by this type of attack.
What was unusual about the system was the "low noise" nature of the attack. A huge number of clicks were not being generated rather a slow click rate more reminiscent of real user activity. Here is how the click bots works:
The software uses syndicated search engines and does not directly attack Google. In this model Google posts sponsored links on the pages of a smaller search engine. Big G has this relationship with companies such as Ask or AOL. Then an end user publisher sub-syndicates these adverts to display on their own website. In essence this could be thought of displaying Adsense ads via one of Google's partner companies. The report did not mention which company was the syndicate.
The increased layers of abstraction along with low level of clicks makes this type of attack more difficult to spot.
The nefarious Bot Master then has a network of zombie machines with a plugin installed on Internet explorer. These machines each with their own IP address are sent off to raise clicks against the sub-syndicated site thereby creating a fraudulent income for the Bot Master.
The first manifestation of this code was seen in May 2006 when it was estimated that there were 100 infected machines, by mid June this had ramped up to 100,000 zombie PCs. This speed of propagation is thought to be quite slow by modern attack standards, which reiterates the slow, low noise nature of the attack.
Google goes on to provide a "back of the envelope" estimate of the cost of an attack. They estimate a figure of $50,000 as the expected income for the Bot Master.
At the end of the report, the staff at Google announce that the creator of clickBot.A is an "intelligent adversary and serves as evidence that the level of sophistication amongst attackers is increasing."
Those who pour scorn on the click fraud problem calling it all hype are missing the real threat from hi-tech organized crime.
Thanks Neil, for that interesting guest post!