‘Chameleon’ Botnet Pilfers Millions From Advertisers

A sophisticated botnet has made its owners at least $6.2 million ($4.09m) by forcing infected machines to click on ads.

The Chameleon botnet consists of over 120,000 bots, which are running on infected Windows PCs, sucking up traffic by running sessions in the background, clicking on ads from 202 selected websites, said London-based Spider.io.

How it works

The tactic is not new. Other malware, such as the massively prevalent ZeroAccess, has exploited pay-per-click advertising, which sees website owners paid every time an ad is clicked on. Cyber crooks create malware that clicks on these ads, on websites they own, thereby making themselves plenty of money.

Criminals will become an affiliate of advertising networks such as  Google Adwords so they can ensure their sites will serve ads of significant marketers. It’s only the marketers who lose out, as they pay both the publisher and the tricksters without gaining any benefit.

Indeed, there is a chance Chameleon is not a new threat from the perspective of other AV vendors. It could be something like ZeroAccess, but with a different name. Spider.io had not responded to a request for comment at the time of publication.

Chameleon is still a sophisticated malicious network, however. Its niftiest trick is to avoid detection by carrying out actions designed to resemble a human user. Instead of just pummeling ads with clicks, the bots carry out non-profit making activities, as a normal user would, such as visiting non-target sites.

“Individual bots run Flash and execute JavaScript. Bots generate click traces indicative of normal users,” Spider.io wrote in a blog post.

“Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02 percent; and they surprisingly generate mouse traces across 11 percent of ad impressions.”

You can see how dispersed clicks are from the following diagrams:

The bot browsers also report themselves to websites as being Internet Explorer 9.0 running on Windows 7.

“If they [the Chameleon operators] can generate a large number of clicks without the advertising network realising the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks,” Graham Cluley, senior technology consultant at security firm Sophos, told TechWeekEurope.

“Hopefully the attention being given to the Chameleon botnet will wake some users up to the need to check their computers for infection, but it wouldn’t be a surprise to see even more clickfraud malware in the future.”

Are you a security pro? Try our quiz!