Over the last few years, botnets have become a stable source of income for cybercrime groups. This is hardly surprising: the costs are invariably low, while better tools mean it is becoming easier to control botnets. Despite the fact that 2010 saw the command servers for a number of major botnets such as Mariposa, Zeus and Bredolab shut down, many others continue to flourish.
One particularly profitable area of botnet specialization is the generation of fake traffic. Many website owners who want to increase user traffic to their resources employ the services of advertising networks. To increase traffic to the web resource being advertised, links to that site are displayed on websites belonging to participants of the advertising network, the so-called 'publishers'. The advertiser pays the owners of the network a fee for every visitor the network directs to them. The publishers are paid for each user redirected from their website to the advertiser's website. This business model becomes illegal if the participants in the advertising network, in a bid to make a quick buck, use a botnet to generate traffic.
A good example of an advertising botnet is the Artro zombie network which has been around since 2008. Artro bots are detected by Kaspersky Lab products as Trojan-Downloader.Win32.CodecPack. The Artro botnet has grown to an enormous size over the last two and a half years: in January 2011 CodecPack was detected at least once on the machines of about 140,000 of our users. According to data from log files, computers in 235 countries across the globe have been infected with Trojan-Downloader.Win32.CodecPack.
Two experts from Kaspersky Lab, Maria Garnayeva and Alexey Kadiev, studied the functionality and business model of this particular botnet and outlined their findings in an article titled 'The Advertising Botnet'.
The Artro bots emulate redirection of users who click on advertising links to the resources being advertised. In order to do this, a bot enters the address of the botnet client's website into the 'referer' field of an HTTP request to the advertising service or sends the ID of an advertising network partner in the request's parameters.
This type of fraudulent scheme provides income to botnet owners, unscrupulous partners and publishers. The advertising networks receive their share of the income as well. Only the advertisers suffer: their investment in advertising fails to provide their websites with visitors. The authors believe that many of the website owners and advertising network partners are unaware of the fact that some of their revenue comes from a botnet.
"In the course of our research, we discovered the average number of clicks-per-day that each module performs on the links received in the configuration file. This figure, as well as such parameters as the average payment received by an advertising service per click, the minimum number of bots on a zombie network and the probable share allotted to botnet owners from the sale of traffic, enables us to estimate the income received by the cybercriminals – somewhere in the region of US $1,000-$2,000 a day," the authors concluded.
A large number of infected computers and a well organized business model allow the cybercriminals to deceive advertisers and make large amounts of money in the process. In addition to this line of business, the cybercriminals also make money from downloading third-party malware to infected computers. The number of infected machines combined with the fact that the downloader is difficult to detect means that the CodecPack/Artro botnet is a very dangerous tool in the hands of cybercriminals.
You can find the full text of 'The Advertising Botnet' on Securelist.com. Kaspersky Lab gives its consent to reprint our articles as long as it is properly attributed (citation of the author, the company and the primary source of publication). This text may not be republished without the consent of the company's Information Service.