Foxy ‘Bahama botnet’ causes surge in click fraud

A new botnet has caused a sharp spike in click fraud because it is skirting the most sophisticated filters of search engines, Web publishers and ad networks, according to Click Forensics.

The company, which provides services to monitor ad campaigns for click fraud and reports on click fraud incidence every quarter, said on Thursday that the botnet’s architects have figured out a way to mask it particularly well as legitimate search ad traffic.

Click Forensics is calling this the “Bahama botnet” because it was initially redirecting traffic through 200,000 parked domains in the Bahamas, although it is now using sites in Amsterdam, the U.K. and Silicon Valley.

Click fraud affects marketers who spend money on pay-per-click (PPC) advertising on search engines and Web pages. It occurs when a person or machine clicks on a PPC ad either by mistake or with malicious intent.

For example, a competitor may click on a rival’s PPC ads in order to drive up their ad spending. Also, a rogue Web publisher may click on PPC ads on its site to trigger more commissions, which is probably what’s behind the Bahama botnet.

Click fraud also includes nonmalicious activity that nonetheless yields a click of little or no value to the advertiser, such as when someone clicks on an ad by mistake or two consecutive times.

Click Forensics has warned recently that click fraud scammers are increasingly resorting to botnets, which are networks of computers that have been secretly compromised for a variety of malicious tasks.

The Bahama botnet is masking the source of its clicks to convince click-fraud filters they are coming from high-quality, legitimate sources, such as U.S. libraries and schools.

The botnet is also altering the “interval and breadth” of the attacks from the compromised PCs, according to Click Forensics.

In a piece of extremely bad news for advertisers running PPC campaigns, Click Forensics has seen worst-case scenarios in which as much as 30 percent of a monthly ad budget is swallowed by Bahama botnet click-fraud traffic.

Ordinary users’ PCs are made part of the Bahama botnet with malware. Click Forensics found links to the malware in search results for queries about the non-existent Facebook Fan Check virus.

Last week, both security company Sophos and Facebook warned that malicious hackers were setting up malware-infested Web sites which falsely claimed to remove a non-existent virus from a new Facebook application called Fan Check.

False rumors spread that Fan Check infected PCs with malware, so scammers tried to capitalize on the concern that many Facebook members had about the application.

As Facebook members used popular search engines to find antivirus information about Fan Check, their results pointed to sites that offered false virus removal kits and instead infected their computers with malware.

Click Forensics also said the botnet malware is “extremely similar” to the “scareware” program found in malicious ads that The New York Times was tricked into serving up on its Web site last weekend.

Before the Times eliminated them, the ads displayed pop-up messages falsely telling users their PCs were infected so they would buy a fake anti-virus program.

Click Forensics is in contact with major search engines, ad network providers, advertisers, publishers and security companies regarding the Bahama botnet and ways to address it.

Neither Google nor Yahoo, which operate the two largest search engines and PPC ad networks, immediately responded to a request for comment.

Seven super ways to kick bot

How do businesses and individuals prevent their PCs from being infected by bots, detect if they’re already compromised and take remedial steps?

Below we present seven proven tips from security experts.

Step 1 – Secure your systems

A computer system usually gets infected with a malicious bot via many of the same channels it falls prey to other malware, Trojans and viruses.

That being the case, experts say the first level of defence in battling bots, involves the same basic steps that are effective against viruses and Trojans – keeping your systems patched, using firewalls, spam filtering software and so on.

As another popular route for a bot attack is Web links transmitted through instant messaging (IM), users should also look at anti-virus and filtering software for IM.

Some companies have disabled IM because of inherent risks associated with it.

However, for firms averse to taking such a step, or for whom IM happens to be a business critical capability, there are commercial applications that enable one to proxy those connections through a channel that has the ability to filter out malicious software.

Basic steps such as running a quality anti-virus program and installing apps that prevent loading of spyware and adware on your machine are a must. These apps should also be kept up to date.

Regular – if possible daily – system scans, and enabling the automatic virus detection software that checks every file as it’s opened are also fairly fundamental safeguards.

Step 2 – Watch for warning signs

Keeping a watchful eye on the help lines often gives network and IT managers their first hints of a possible botnet infection.

Any significant increase in calls about slow systems or lots of pop ups could be a sign of bot compromised machines on the network.

Likewise, Internet service providers (ISPs) are well positioned to detect suspicious activity. Sometimes these signs are detected by network service providers that have ISPs as customers.

For instance, Florham Park, N.J.–based Global Crossing, a network services provider has a several ISP customers, and constantly monitors their traffic for unconventional or anomalous behaviour.

“We look for unusual traffic flows, [a spurt in] DNS lookups for names known to be used by botnet controllers, or whether lots of their customers [are] suddenly making connections to the same machine,” says Jim Lippard, director of information security operations at Global Crossing in a podcast.

When such trends are detected, he said, the ISP is immediately notified.

“They, in turn, can either suspend service to an affected customer, contact the customer; or they can put filters in place to block the activity.”

He said an ISP may sometimes put the affected customer into a “walled garden” – a quarantined environment where the person can no longer browse the Web, but is redirected to a Web page that says: You have a problem, here are some characteristics of that problem and here are recommendations to fix it.”

Step 3 – Scan the horizon

It’s not just individual systems, but traffic on company networks that should be scanned as well.

Outbound e-mail scanning, for example, can help detect a spam virus attack when it’s launched from your network. In such cases, locating the compromised PC should not be difficult.

Be very concerned if your IP address becomes part of a black list, as that’s a sure sign of trouble emanating from your network.
Several sites on the Web can check a wide array of registered blacklists for you.

One of these is Spamhaus, a volunteer initiative that aims to track e-mail spammers and spam-related activity.

Spamhaus has developed three widely used anti-spam DNS Blocklists:

– The Spamhaus Block List (SBL) is a realtime database of IP addresses of verified spam sources and spam operations (including spammers, spam gangs and spam support services). It is supplied as a free service to help e-mail administrators better manage incoming e-mail streams.

– The Exploits Block List (XBL), is a realtime database of IP addresses of illegal third party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/ viruses with built-in spam engines, and other types of trojan-horse exploits.

– The Policy Block List (PBL) is a database of end-user IP address ranges which should not be delivering unauthenticated SMTP email to any Internet mail server except those provided for specifically by an ISP for that customer’s use. The PBL helps networks enforce their Acceptable Use Policy for dynamic and non-MTA customer IP ranges.

Many ISPs and other Internet sites use these free services to reduce the amount of spam they take on.

The SBL, XBL and PBL collectively protect over 500 million e-mail users, according to Spamhaus’ Web site.

Another option is signing up for e-mail feedback groups maintained by MSN, AOL and Yahoo that notify you if spam traffic arriving at those networks is originating from your IP address.

Intrusion detection software running on your network may be able to recognize the patterns of traffic that botnets generate once their inside.

Step 4 – Exercise your [Port] Authority

There are 65,535 available ports, but only 1,024 of them are designated by the Internet Assigned Numbers Authority as “well-known” ports.

But bad guys tend to sneak things through using higher numbered ports which have no use designated.

Some experts – such as Steve Pao, vice-president, product management at Barracuda Networks – recommend blocking Port 25, the IP port used for outbound e-mail.

Pau notes some ISPs are starting to block it on new accounts for e-mail that doesn’t have a legitimate IP address. He acknowledges that’s difficult for individuals to do, because it effectively prevents mail from going out.

But, he says, other features – such as Internet Relay Chat (IRC) should be blocked “because in most cases that will prevent zombies from calling home even if they do get installed.”

Another expert advocates a smart approach to “blocking” that enhances security, while not eroding functionality.

“Block everything you don’t use,” is the advice of Dean Turner, senior manager of security response at Symantec Corp. For most people, he says, use of the Internet requires only a few ports to be open.

“You’ll need ports 25 and 110 for e-mail, port 53 for DNS lookup, port 80 for the Web and port 443 for SSL,” he says, “and if you allow those ports and nothing else you’ll be much safer.”

The list of particularly dangerous ports commonly used by Trojans and other malware programs is available online.

Step 5 – Educate users

Smart and cautious users are an organization’s strongest defence against malware and botnets. Periodic educational sessions with users should focus on issues like:

– The importance of not opening attachments or navigating to links in an e-mail from unknown senders.

– Sypmptoms of a bot attack.

– The importance of immediately reporting to the IT department any signs that their systems are compromised.
Once bots get in they will try to do things like scan and disrupt other systems, with the same kind of behaviour you would see from a worm or a virus.

Industry insiders say IT managers should take proactive steps to ward off botnet infections – steps that go far beyond keeping virus signatures current.

For instance, Patrick Patterson vice-president of technology at San Bruno, Calif.-based Ironport Systems Inc., a provider of Web and e-mail security products, notes that network and IT managers often get their first glimpse of a botnet infection by keeping an eye on the help lines.

“Find out how many people are calling in because their PCs are becoming unusable, either because they are too slow or there is a lot of popup activity.”

If there’s a sudden spike in calls reporting these problems, Peterson says, there’s something like a 10-to-1 chance the PCs have become part of a botnet.

Enterprise network administrators can also keep a close watch for suspicious outbound activity using their network-monitoring software.

Intrusion Detection and Intrusion Prevention systems allow you to identify how your network bandwidth is being used, so if you detect a sudden burst of peer-to-peer traffic or IRC traffic or an unusual set of DNS lookups, those are all characteristic of bot activity.

Step 6 – Share information

Better co-operation and information sharing between anti-virus and anti-spyware product vendors is vitally important to beat the botnet scourge.

Unfortunately, there’s little evidence of such co-operation.

These companies “tend to keep names of malware they find to themselves [so they can] use it to competitive advantage,” says Global Crossing’s Lippard.

Some vendors acknowledge that this indeed the case.

TrendMicro CEO, Eva Chen, in an interview with IT World Canada, recalled the “early days” of the AV industry, when she and John McAfee (founder of anti-virus software vendor McAfee Inc.) used to exchange virus samples.

“Our belief was that you competed by creating a better product, not by collecting more virus samples.”

She rued the absence of this attitude among some newer vendors in the field. “They don’t play by those rules. They see collecting new samples as their competitive advantage.”

Step 7 – Use Web 2.0 tools

Social networking sites and tools often function as double-edged swords.

Spamsters and bot herders use them to spread to launch virus, Trojan or bots attacks.

But the networking potential these sites offer can also be harnessed to counter such threats.

Chen said her company experienced the incredible power of such co-operation following its purchase of HijackThis, a free utility that scans Windows computers to find settings that may have been changed by spyware, malware, or other unwanted programs.
HijackThis creates a report, or log file, with the results of the scan.

Chen said when HijackThis was put out under TrendMicro’s brand name, a Collect the Log feature was added, which gave users the option of sending the scan results log back to TrendMicro for analysis.

“The very first day we received 2,000 logs from customers and over the weeks this number continued to increase,” Chen said. “We were able to use these logs as a basis for data mining – to understand what the newest bot attacks are and to develop an antidote.”
TrendMicro offers companies a Botnet Identification Service that locates botnet command-and-control servers and blocks communications between them and the bots they control.

“By breaking their ability to communicate, the bots are rendered useless-unable spew spam and launch crime-related attacks that could damage your brand image, degrade network performance, and increase support costs,” the TrendMicro site says.

Source: Computerworld.com

Share on LinkedIn Share with Google+