Research: May 2006 Archives

Chris Boyd and I talked about the possability of this happening back in March during our Podcast with Jeff Molander. In this instance I will quote myself:


Porter says, "Once you've compromised a PC you own it... it's yours you can do with it what you want and you can emulate that activity. Because that net is spread out... you can execute any type of activity and get away with it -from sending spam to recommending certain Web sites to infecting them with more adware to emulating surfing activity and possibly emulating click activity... yes... definitely for sure."

It appears our unfortunate prophecy has become "documented reality" as a botnet owner took aim at Adsense with a small herd of bots designed to click on adsense ads as noted the SANS Institute's Internet Storm Center...


Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

The critical part to note about this activity documented by SANS is this:


It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

Note the small size of the Botnet- without an anonymous tip and some lack of planning by the botnet owner it might have flown for a long time. This means it was either immature in size or the owner knew to keep the size of the herd under the radar. This is, unfortunately, what we thought we would see and The Register noted it.


Generating traffic from a small number of machines (numbered in the hundreds) makes the traffic generated from compromised machines look innocuous. In return for helping click fraud scammers keep a low profile, botnet owners rake in a percentage from the scam.

No doubt we will see more of this in the future. Whether this is contained or not will depend much on how savvy Google is in detecting and shutting down this activity as well how well user's guard their machines.

I wish I could say the prognosis was better...

Many others have picked up on this activity and that's good. The more people know about it, the better it can be defended against.

Pages

About this Archive

This page is a archive of entries in the Research category from May 2006.

Research: April 2006 is the previous archive.

Research: June 2006 is the next archive.

Find recent content on the main index or look in the archives to find all content.