Botnets For Click Fraud - How the Bots Work
(Page 3 of 4 )
Let's see how these bots perpetrate click fraud, how they are propagated, who is fighting them and what the projections are. Computers become bots when they pick up viruses or malicious software built by programmers to turn the PCs they infect into zombies. According to Symantec, two out of every ten viruses are rigged to turn PCs into zombie PCs. They are mostly spread using email or by the bots crawling the net looking for lapses in the Windows security system. Symantec also projects that more malicious code will be hidden in multimedia file formats in future incidences of virus propagation.
KMeth, Propagation and Operation
One of the bots (KMeth) that was specifically used for click fraud is spread via instant messaging (it was the bot responsible for the mesotheliomia discovered by Face time security). It exploits vulnerabilities on Internet Explorer to infect surfers and promotes itself through instant messages sent to the Yahoo! Messenger contacts of users that are affected by the bot. It posts messages to all users with links that, if opened, infect the computer of other users who click on it. Visitors to the site get their PCs infected.
Like all good malware, it imposes a new home page which points to fraudulent MFA sites. It also goes a step further to reduce its detectability level by employing various social engineering techniques. Apart from clicking on ads and banners the bot simply drives traffic to sites, not clicking on the ads but allowing the humans to decide what to do. This beats the search engine's first level of detection, which is an automated screening process which filters out known fraudsters (human or robotic).
KMeth is primarily designed to defeat the next two (three for Google) levels of security of the search engines by spreading the clicks over a large network (a thousand computers is the smallest network a bot master will rent out) and by doing it over a period of time. Human statisticians and the advertiser's that keep an eye out for irregularities in the clicks will be hard pressed to find and plug the "leaks" which exist.
ClickbotA
In May 2006 PandaLabs detected ClickbotA, running on at least 34,000 zombie computers. ClickbotA is used exclusively for click fraud. The bots are controlled remotely from several web servers. The "perps" can define the number of clicks for specified "zombies" in order not to arouse suspicion, and can direct the bots to specific web sites.
The ClickbotA bot initializes itself by launching a dynamic link library and then later deletes its executable file. Once it initializes, it updates the botmaster's database and can even be updated itself. It also requests links to click on after checking that it has received authorization to do so. Luis Corrons (Director of PandaLabs) notes that PandaLabs detects unknown threats by complementing standard antivirus products with their TruPrevent technology, which has detected 46,000 examples of new malware since it was first released in 2004.
Next: A Few Good Men >>
More Search Engine News Articles
More By Akinola Akintomide
