Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!


Published: 2006-05-14
Last Updated: 2006-05-14 11:06:12 UTC
by Swa Frantzen (Version: 1)
0 comment(s)

With pay per click programs such as Google Adsense, there is another way to earn money from advertisers by building a scam where the money flows like this:

  • The advertisers pay Google for clicks in the hope to sell something.
  • Google has a bunch of publishers that own a website and run banners for them. Google pays (a high percentage) of the revenue to the publisher.
  • Some of these publishers aren't honest, but Google (tries to) detects fraudulous clicks and suspends them, so they need to hide the additional clicks better.
  • Somebody with a botnet generates the clicks from a few hundred machines and makes sure they look as innocent as possible. Keeps it a low profile while at it. Of course the botnet owner will want a share from the publisher.

Bottom line is that the advertiser pays in exchange for a bot visiting him.

It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.

While some of the *.exe's were detected pretty well, this one stood out [Virustotal results]:

AntiVir          found [TR/Drop.Small.ann.1]
Avast 4.6.695.0/20060512        found nothing
AVG 386/20060512     found nothing
BitDefender 7.2/20060514    found nothing
CAT-QuickHeal 8.00/20060512   found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060512 found nothing
DrWeb 4.33/20060514   found [Adware.IEHelper]
eTrust-InoculateIT 23.72.7/20060512 found nothing
eTrust-Vet 12.4.2207/20060512       found nothing
Ewido 3.5/20060513    found [Hijacker.BHO.d]
Fortinet        found [suspicious]
F-Prot 3.16c/20060512  found nothing
Ikarus        found nothing
Kaspersky        found [Trojan-Dropper.Win32.Small.ann]
McAfee 4761/20060512   found nothing
Microsoft 1.1372/20060513 found nothing
NOD32v2 1.1536/20060513 found nothing
Norman 5.90.17/20060512          found nothing
Panda           found [Suspicious file]
Sophos 4.05.0/20060513 found nothing
Symantec 8.0/20060514    found nothing
TheHacker       found nothing
UNA 1.83/20060512    found nothing
VBA32 3.11.0/20060513 found nothing

It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.

It's been reported to Google in order to make sure nobody gets paid.

Swa Frantzen - Section 66
0 comment(s)
Diary Archives