Article

What's clicking what? techniques and innovations of today's clickbots

Authors:

Christian Kreibich,

Vern PaxsonAuthors Info & Claims

DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment

Pages 164 - 183

Published: 07 July 2011 Publication History

Abstract

With the widespread adoption of Internet advertising, fraud has become a systemic problem.While the existence of clickbots--malware specialized for conducting click-fraud--has been known for a number of years, the actual functioning of these programs has seen little study. We examine the operation and underlying economic models of two families of modern clickbots, "Fiesta" and "7cy." By operating the malware specimens in a controlled environment we reverse-engineered the protocols used to direct the clickbots in their activities.We then devised a milker program that mimics clickbots requesting instructions, enabling us to extract over 360,000 click-fraud directives from the clickbots' control servers. We report on the functioning of the clickbots, the steps they employ to evade detection, variations in how their masters operate them depending on their geographic locality, and the differing economic models underlying their activity.

References

[1]

Abu Rajab, M., Zarfoss, J., Monrose, F., Terzis, A.: A Multifaceted Approach to Understanding the Botnet Phenomenon. In: Proc. of SIGCOMM (2006).

Digital Library

[2]

Bodmer, S., Vandegrift, M.: Looking Back at Murofet, a ZeuSbot Variants Active History (November 2010) http://blog.damballa.com/?p=1008

[3]

Buehrer, G., Stokes, J.W., Chellapilla, K.: A Large-scale Study of Automated Web Search Traffic. In: Proc. of Workshop on Adversarial Information Retrieval on the Web (2008).

Digital Library

[4]

Caballero, J., Grier, C., Kreibich, C., Paxson, V.: Measuring Pay-per-Install: The Commoditization of Malware Distribution. In: Proc. of the USENIX Security (2011).

Digital Library

[5]

Caballero, J., Poosankam, P., Kreibich, C., Song, D.: Dispatcher: Enabling Active Botnet Infiltration using Automatic Protocol Reverse-Engineering. In: Proc. of ACM CCS (2009).

Digital Library

[6]

Chiang, K., Lloyd, L.: A Case Study of the Rustock Rootkit and Spam Bot. In: Proc. of the 1st Workshop on Hot Topics in Understanding Botnets, USENIX Association (2007).

Digital Library

[7]

Cho, C.Y., Caballero, J., Grier, C., Paxson, V., Song, D.: Insights from the Inside: A View of Botnet Management from Infiltration. In: Proc. of LEET (2010).

Digital Library

[8]

Click Fraud Rate Rises to 22.3 Percent in Q3 2010 (October 2010), http://www.clickforensics.com/newsroom/press-releases/ 170-click-fraud-rate-rises-to-223-percent-in-q3-2010.html

[9]

Daswani, N., Stoppelman, M.: The Anatomy of Clickbot.A. In: Proc. of the Workshop on Hot Topics in Understanding Botnets (2007).

Digital Library

[10]

Dingledine, R., Mathewson, N., Syverson, P.: Tor: The Second-Generation Onion Router. In: Proc. of USENIX Security (2004).

Digital Library

[11]

Gummadi, R., Balakrishnan, H., Maniatis, P., Ratnasamy, S.: Not-a-Bot: Improving Service Availability in the Face of Botnet Attacks. In: Proc. of the 6th USENIX Symposium on Networked Systems Design and Implementation, pp. 307-320 (2009).

Digital Library

[12]

Holz, T., Steiner, M., Dahl, F., Biersack, E., Freiling, F.: Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm. In: Proc. of the LEET (2008).

Digital Library

[13]

John, J.P., Moshchuk, A., Gribble, S.D., Krishnamurthy, A.: Studying Spamming Botnets Using Botlab. In: Proc. of the USENIX NSDI (2009).

Digital Library

[14]

Juels, A., Stamm, S., Jakobsson, M.: Combating Click Fraud Via Premium Clicks. In: Proc. of the USENIX Security (2007).

Digital Library

[15]

Kang, H., Wang, K., Soukal, D., Behr, F., Zheng, Z.: Large-scale Bot Detection for Search Engines. In: Proc. of WWW (2010).

Digital Library

[16]

Kintana, C., Turner, D., Pan, J.Y., Metwally, A., Daswani, N., Chin, E., Bortz, A.: The Goals and Challenges of Click Fraud Penetration Testing Systems. In: Proc. of the Intl. Symposium on Software Reliability Engineering (2009).

[17]

Kohler, E., Morris, R., Chen, B., Jannotti, J., Kaashoek, M.F.: The Click Modular Router. ACM Transactions Computer Systems 18, 263-297 (2000), http://doi.acm.org/ 10.1145/354871.354874

Digital Library

[18]

Kshetri, N.: The Economics of Click Fraud. IEEE Security Privacy 8, 45-53 (2010).

Digital Library

[19]

Polychronakis, M., Mavrommatis, P., Provos, N.: Ghost turns Zombie: Exploring the Life Cycle of Web-based Malware. In: Proc. of LEET (2008).

Digital Library

[20]

Tuzhilin, A.: The Lane's Gift vs. Google Report (2006), http://googleblog. blogspot.com/pdf/Tuzhilin_Report.pdf

[21]

The Underground Economy of the Pay-Per-Install (PPI) Business (September 2009), http://www.secureworks.com/research/threats/ppi

[22]

Villeneuve, N.: Koobface: Inside a Crimeware Network (November 2010), http://www. infowar-monitor.net/reports/iwm-koobface.pdf

[23]

Yu, F., Xie, Y., Ke, Q.: SBotMiner: Large Scale Search Bot Detection. In: Proc. of the Intl. Conference on Web Search and Data Mining (2010).

Digital Library

Cited By

Zhang MMeng WLee SLee BXing XHeninger NTraynor P(2019)All your clicks belong to me: investigating click interception on the webProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361404(941-957)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361404
Nagaraja SShah R(2019)ClicktokProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3323407(105-116)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3323407
Chen GMeng WCopeland J(2019)Revisiting Mobile Advertising Threats with MAdLifeThe World Wide Web Conference10.1145/3308558.3313549(207-217)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313549
Show More Cited By

Recommendations

Malware Obfuscation Techniques: A Brief Survey
BWCCA '10: Proceedings of the 2010 International Conference on Broadband, Wireless Computing, Communication and Applications

As the obfuscation is widely used by malware writers to evade antivirus scanners, so it becomes important to analyze how this technique is applied to malwares. This paper explores the malware obfuscation techniques while reviewing the encrypted, ...
Multi-level sandboxing techniques for execution-based stealthy malware detection
Effective worm detection for various scan techniques

In recent years, the threats and damages caused by active worms have become more and more serious. In order to reduce the loss caused by fast-spreading active worms, an effective detection mechanism to quickly detect worms is desired. In this paper, we ...

Comments

Information & Contributors

Information

Published In

cover image Guide Proceedings

DIMVA'11: Proceedings of the 8th international conference on Detection of intrusions and malware, and vulnerability assessment

July 2011

234 pages

ISBN:9783642224232

Editors:
Thorsten Holz
Ruhr-Universität Bochum, Fakultät für Elektrotechnik und Informationtechnik, Bochum, Germany
,
Herbert Bos
Vrije Universiteit Amsterdam, Amsterdam, The Netherlands

Publisher

Springer-Verlag

Berlin, Heidelberg

Publication History

Published: 07 July 2011

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

23
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 28 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Zhang MMeng WLee SLee BXing XHeninger NTraynor P(2019)All your clicks belong to me: investigating click interception on the webProceedings of the 28th USENIX Conference on Security Symposium10.5555/3361338.3361404(941-957)Online publication date: 14-Aug-2019
https://dl.acm.org/doi/10.5555/3361338.3361404
Nagaraja SShah R(2019)ClicktokProceedings of the 12th Conference on Security and Privacy in Wireless and Mobile Networks10.1145/3317549.3323407(105-116)Online publication date: 15-May-2019
https://dl.acm.org/doi/10.1145/3317549.3323407
Chen GMeng WCopeland J(2019)Revisiting Mobile Advertising Threats with MAdLifeThe World Wide Web Conference10.1145/3308558.3313549(207-217)Online publication date: 13-May-2019
https://dl.acm.org/doi/10.1145/3308558.3313549
Sharma KGupta B(2018)Taxonomy of Distributed Denial of Service DDoS Attacks and Defense Mechanisms in Present Era of Smartphone DevicesInternational Journal of E-Services and Mobile Applications10.4018/IJESMA.201804010410:2(58-74)Online publication date: 1-Apr-2018
https://dl.acm.org/doi/10.4018/IJESMA.2018040104
Dong FWang HLi LGuo YBissyandé TLiu TXu GKlein JLeavens GGarcia APăsăreanu C(2018)FraudDroid: automated ad fraud detection for Android appsProceedings of the 2018 26th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering10.1145/3236024.3236045(257-268)Online publication date: 26-Oct-2018
https://dl.acm.org/doi/10.1145/3236024.3236045
DeBlasio JGuha SVoelker GSnoeren AUhlig SMaennel O(2017)Exploring the dynamics of search advertiser fraudProceedings of the 2017 Internet Measurement Conference10.1145/3131365.3131393(157-170)Online publication date: 1-Nov-2017
https://dl.acm.org/doi/10.1145/3131365.3131393
Miralles-Pechuán LRosso DJiménez FGarcía J(2017)A methodology based on Deep Learning for advert value calculation in CPM, CPC and CPA networksSoft Computing - A Fusion of Foundations, Methodologies and Applications10.1007/s00500-016-2468-421:3(651-665)Online publication date: 1-Feb-2017
https://dl.acm.org/doi/10.1007/s00500-016-2468-4
Cho GCho JSong YChoi DKim H(2016)Combating online fraud attacks in mobile-based advertisingEURASIP Journal on Information Security10.1186/s13635-015-0027-72016:1(1-9)Online publication date: 1-Dec-2016
https://dl.acm.org/doi/10.1186/s13635-015-0027-7
Marciel MCuevas RBanchs AGonzález RTraverso SAhmed MAzcorra ABourdeau JHendler JNkambou RHorrocks IZhao B(2016)Understanding the Detection of View Fraud in Video Content PortalsProceedings of the 25th International Conference on World Wide Web10.1145/2872427.2882980(357-368)Online publication date: 11-Apr-2016
https://dl.acm.org/doi/10.1145/2872427.2882980
Javed MHerley CPeinado MPaxson VCho KFukuda KPai VSpring N(2015)Measurement and Analysis of Traffic Exchange ServicesProceedings of the 2015 Internet Measurement Conference10.1145/2815675.2815708(1-12)Online publication date: 28-Oct-2015
https://dl.acm.org/doi/10.1145/2815675.2815708
Show More Cited By

View Options

View options

Media

Figures

Other

Tables

View Table of Contents