Abstract
With the widespread adoption of Internet advertising, fraud has become a systemic problem. While the existence of clickbots—malware specialized for conducting click-fraud—has been known for a number of years, the actual functioning of these programs has seen little study. We examine the operation and underlying economic models of two families of modern clickbots, “Fiesta” and “7cy.” By operating the malware specimens in a controlled environment we reverse-engineered the protocols used to direct the clickbots in their activities. We then devised a milker program that mimics clickbots requesting instructions, enabling us to extract over 360,000 click-fraud directives from the clickbots’ control servers. We report on the functioning of the clickbots, the steps they employ to evade detection, variations in how their masters operate them depending on their geographic locality, and the differing economic models underlying their activity.
Student co-leads listed alphabetically.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of SIGCOMM (2006)
Bodmer, S., Vandegrift, M.: Looking Back at Murofet, a ZeuSbot Variants Active History (November 2010) http://blog.damballa.com/?p=1008
Buehrer, G., Stokes, J.W., Chellapilla, K.: A Large-scale Study of Automated Web Search Traffic. In: Proc. of Workshop on Adversarial Information Retrieval on the Web (2008)
Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proc. of the USENIX Security (2011)
Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering. In: Proc. of ACM CCS (2009)
Chiang, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets, USENIX Association (2007)
Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proc. of LEET (2010)
Click Fraud Rate Rises to 22.3 Percent in Q3 2010 (October 2010), http://www.clickforensics.com/newsroom/press-releases/170-click-fraud-rate-rises-to-223-percent-in-q3-2010.html
Daswani, N., Stoppelman, M.: The Anatomy of Clickbot.A. In: Proc. of the Workshop on Hot Topics in Understanding Botnets (2007)
Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proc. of USENIX Security (2004)
Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation, pp. 307–320 (2009)
Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proc. of the LEET (2008)
John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proc. of the USENIX NSDI (2009)
Juels, A., Stamm, S., Jakobsson, M.: Combating Click Fraud Via Premium Clicks. In: Proc. of the USENIX Security (2007)
Kang, H., Wang, K., Soukal, D., Behr, F., Zheng, Z.: Large-scale Bot Detection for Search Engines. In: Proc. of WWW (2010)
Kintana, C., Turner, D., Pan, J.Y., Metwally, A., Daswani, N., Chin, E., Bortz, A.: The Goals and Challenges of Click Fraud Penetration Testing Systems. In: Proc. of the Intl. Symposium on Software Reliability Engineering (2009)
Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The Click Modular Router. ACM Transactions Computer Systems 18, 263–297 (2000), http://doi.acm.org/10.1145/354871.354874
Kshetri, N.: The Economics of Click Fraud. IEEE Security Privacy 8, 45–53 (2010)
Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proc. of LEET (2008)
Tuzhilin, A.: The Lane’s Gift vs. Google Report (2006) , http://googleblog.blogspot.com/pdf/Tuzhilin_Report.pdf
The Underground Economy of the Pay-Per-Install (PPI) Business (September 2009), http://www.secureworks.com/research/threats/ppi
Villeneuve, N.: Koobface: Inside a Crimeware Network (November 2010), http://www.infowar-monitor.net/reports/iwm-koobface.pdf
Yu, F., Xie, Y., Ke, Q.: SBotMiner: Large Scale Search Bot Detection. In: Proc. of the Intl. Conference on Web Search and Data Mining (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Miller, B., Pearce, P., Grier, C., Kreibich, C., Paxson, V. (2011). What’s Clicking What? Techniques and Innovations of Today’s Clickbots. In: Holz, T., Bos, H. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2011. Lecture Notes in Computer Science, vol 6739. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-22424-9_10
Download citation
DOI: https://doi.org/10.1007/978-3-642-22424-9_10
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-22423-2
Online ISBN: 978-3-642-22424-9
eBook Packages: Computer ScienceComputer Science (R0)