Tuesday, May 01, 2007

Google on Clickbot.A

Googlers Neil Daswani and Michael Stoppelman wrote a paper, "The Anatomy of Clickbot.A" (PDF), on a clever click fraud attack against Google using a botnet.

From the paper:
This paper presents a detailed case study of the Clickbot.A botnet. The botnet consisted of over 100,000 machines ... [and] was built to conduct a low-noise click fraud attack against syndicated search engines.

Some computers [in the botnet] were infected by downloading a known trojan horse. The trojan horse disguised itself as a game .... It does not slow down a machine or adversely affect a machine’s performance too much. As such, users have no incentive to disinfect their machines of such a bot.

Several tens of thousands of IP addresses of machines infected with Clickbot.A were obtained. An analysis of the IP addresses revealed that they were globally distributed ... The IP addresses also exhibited strong correlation with email spam blacklists, implying that infected machines may have also been participating in email spam botnets as well.

Conducting a botnet-based click fraud attack directly against a top-tier search engine might generate noticable anomalies in click patterns, Clickbot.A attempted to avoid detection by employing a low-noise attack against syndicated search engines.
This is a pretty impressive attempt. Since the attacker disguises itself as a large number of independent users, this type of click fraud would be a challenge to detect.

I have to wonder whether there could be other, more clever attackers using similar methods that are slipping by undetected. For example, using a larger botnet would make the fraud more difficult to detect. It does appear that a several tens of thousands of IP addresses is not huge for a botnet; one was discovered back in 2005 that had 1.5M machines.

I also suspect an attacker could also make the fraud pattern more challenging to find by mimicking normal search and ad click patterns most of the time, especially on machines that are otherwise idle, which otherwise would stand out by doing nothing but fraudulent clicks.

As the paper says, this type of botnet-based click fraud is only likely to increase. Security researchers like Neil and Michael have their work cut out for them.

1 comment:

David said...

I recently read about hackers using ads to get people to visit there sites and attack the browser. It is made possible because any pay-per-click ad system requires that the click first go to the ad server (for accounting) then be redirected to the advertiser's site. Since the user can never see the destination of the ad, it is easy for attackers to create ads that the user will want to follow, then insert their own site that provides thier attack, then redirect to the site the user wants without the user realizing they've been attacked. With click fraud making pay-per-click more risky for advertisers and hack ads making clicking on ads more dangerous for users, pay-per-click advertising has serious work to do to remain viable.