“Pay Per Click” fraud botnet discovered

PandaLabs has detected a network of computers infected with the bot Clickbot.A, which is being used to defraud “pay per click’ systems, registering clicks automatically and providing lucrative returns for the creators. According to the data collected so far, the scam is exploiting a global network comprising more than 34,000 zombie computers (those infected by the bot).

The bots are controlled remotely through several Web servers. This allows the perpetrators to define, for example, the web pages on which the adverts are hosted or the maximum number of clicks from any one IP address in order not to arouse suspicions. Similarly, the number of clicks from the bot can be monitored as well as the computers online at any one time. The system used can evade fraud detection systems by sending click requests from different, unrelated IP addresses.

“Renting and selling of botnets has become a genuine business model for cyber-crooks. The scam we have now uncovered exploits infected systems to generate profits through “Pay per Click’ systems, instead of by installing spyware sending spam,” explains Luis Corrons, director of PandaLabs. “Given the proliferation of these networks, it is highly advisable for users to scan their systems with fully up-to-date anti-malware solutions, as bots like those involved in this case can be perfectly concealed on computers”.

The Clickbot.A mechanism consists of two parts. The first is an executable file that launches a dynamic link library on the system, which later deletes itself. The second is a component of Internet Explorer that notifies the attacker that computer is infected, even allowing the control components to be updated. The bot then registers in the database of the control system, checking that the creator has given authorization to start clicking, and if so, will request the list of addresses from which to click.

Bots represent one of the fastest growing threats on the Internet, given that they adapt perfectly to the new malware dynamic in which threat creators are no longer searching for notoriety, but for financial returns. With this in mind, they try to ensure their creations are installed without arousing the suspicions of users or security companies.

“The current situation requires the use of proactive technologies, which can detect unknown threats by examining their behavior and complements traditional antivirus products. For example, our TruPrevent proactive technologies have detected more than 46,000 examples of new malware since first released in 2004,” adds Corrons.

Don't miss