What’s Clicking What? Techniques and Innovations of Today’s Clickbots

  • Brad Miller
  • Paul Pearce
  • Chris Grier
  • Christian Kreibich
  • Vern Paxson
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6739)


With the widespread adoption of Internet advertising, fraud has become a systemic problem. While the existence of clickbots—malware specialized for conducting click-fraud—has been known for a number of years, the actual functioning of these programs has seen little study. We examine the operation and underlying economic models of two families of modern clickbots, “Fiesta” and “7cy.” By operating the malware specimens in a controlled environment we reverse-engineered the protocols used to direct the clickbots in their activities. We then devised a milker program that mimics clickbots requesting instructions, enabling us to extract over 360,000 click-fraud directives from the clickbots’ control servers. We report on the functioning of the clickbots, the steps they employ to evade detection, variations in how their masters operate them depending on their geographic locality, and the differing economic models underlying their activity.


Hong Kong Exit Node Internet Advertising Containment Server Advertise Site 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of SIGCOMM (2006)Google Scholar
  2. 2.
    Bodmer, S., Vandegrift, M.: Looking Back at Murofet, a ZeuSbot Variants Active History (November 2010)
  3. 3.
    Buehrer, G., Stokes, J.W., Chellapilla, K.: A Large-scale Study of Automated Web Search Traffic. In: Proc. of Workshop on Adversarial Information Retrieval on the Web (2008)Google Scholar
  4. 4.
    Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proc. of the USENIX Security (2011)Google Scholar
  5. 5.
    Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering. In: Proc. of ACM CCS (2009)Google Scholar
  6. 6.
    Chiang, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets, USENIX Association (2007)Google Scholar
  7. 7.
    Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proc. of LEET (2010)Google Scholar
  8. 8.
  9. 9.
    Daswani, N., Stoppelman, M.: The Anatomy of Clickbot.A. In: Proc. of the Workshop on Hot Topics in Understanding Botnets (2007)Google Scholar
  10. 10.
    Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proc. of USENIX Security (2004)Google Scholar
  11. 11.
    Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation, pp. 307–320 (2009)Google Scholar
  12. 12.
    Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proc. of the LEET (2008)Google Scholar
  13. 13.
    John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proc. of the USENIX NSDI (2009)Google Scholar
  14. 14.
    Juels, A., Stamm, S., Jakobsson, M.: Combating Click Fraud Via Premium Clicks. In: Proc. of the USENIX Security (2007)Google Scholar
  15. 15.
    Kang, H., Wang, K., Soukal, D., Behr, F., Zheng, Z.: Large-scale Bot Detection for Search Engines. In: Proc. of WWW (2010)Google Scholar
  16. 16.
    Kintana, C., Turner, D., Pan, J.Y., Metwally, A., Daswani, N., Chin, E., Bortz, A.: The Goals and Challenges of Click Fraud Penetration Testing Systems. In: Proc. of the Intl. Symposium on Software Reliability Engineering (2009)Google Scholar
  17. 17.
    Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The Click Modular Router. ACM Transactions Computer Systems 18, 263–297 (2000), CrossRefGoogle Scholar
  18. 18.
    Kshetri, N.: The Economics of Click Fraud. IEEE Security Privacy 8, 45–53 (2010)CrossRefGoogle Scholar
  19. 19.
    Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proc. of LEET (2008)Google Scholar
  20. 20.
    Tuzhilin, A.: The Lane’s Gift vs. Google Report (2006) ,
  21. 21.
    The Underground Economy of the Pay-Per-Install (PPI) Business (September 2009),
  22. 22.
    Villeneuve, N.: Koobface: Inside a Crimeware Network (November 2010),
  23. 23.
    Yu, F., Xie, Y., Ke, Q.: SBotMiner: Large Scale Search Bot Detection. In: Proc. of the Intl. Conference on Web Search and Data Mining (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Brad Miller
    • 1
  • Paul Pearce
    • 1
  • Chris Grier
    • 1
    • 2
  • Christian Kreibich
    • 2
  • Vern Paxson
    • 1
    • 2
  1. 1.Computer Science DivisionUniversity of California BerkeleyUSA
  2. 2.International Computer Science InstituteUSA

Personalised recommendations