Massive Chameleon botnet steals $6M per month from advertisers
Posted on 19 March 2013.
Web traffic analytics firm spider.io has discovered a massive botnet that emulates human visitors in order to earn its master(s) over $6 million per month from online advertisers.


Dubbed Chameleon, the botnet numbers over 120,000 hosts located in the US, running Microsoft Windows and accessing the Web through a Flash-enabled Trident-based browser that executes JavaScript.

"Chameleon is a sophisticated botnet," the researchers shared. "Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions."

The company has been tracking the botnet since last December, searching for specific patterns typical of this bot activity, such as crashing and restarting regularly, targeting a specific cluster of 202 websites, simulating the visitation of a number of web pages across a number of websites, and so on.

Apart from its obvious sophistication, the botnet is also notable for the amount of money it generates for its master(s), and for being the first one spotted to affect display ad advertisers instead of text link ones.

Every month the botnet has been serving at least 14 billion ad impressions, using at least 7 million distinct ad-exchange cookies, exchanged after each bot crash.

"Despite the sophistication of each individual bot at the micro level, the traffic generated by the botnet in aggregate is highly homogenous," the researchers pointed out. "All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions and the bots also generate randomized mouse traces."

Spider.io has compiled a blacklist of 5,000 IP addresses of the worst bots participating in the Chameleon botnet.









Spotlight

The synergy of hackers and tools at the Black Hat Arsenal

Posted on 27 August 2014.  |  Tucked away from the glamour of the vendor booths and the large presentation rooms filled with rockstar sessions, was the Arsenal - a place where developers were able to present their security tools and grow their community.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Aug 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //