A number of news reports have picked up on a blog post by Spider.io, where the web analytics firm discusses a botnet that can allegedly generate more than $6 million a month through bogus clicks on online adverts.
The botnet, which Spider.io has dubbed “Chameleon”, is said to have infected some 120,000 computers in the United States.
When I read stories like this, the first thing I want to check is – “Do Sophos products detect this? Are we protecting our customers?”
In this particular case, that’s hard to definitively answer – because Spider.io hasn’t shared much in the way of information. The name isn’t used by other anti-virus products, and no checksums or VirusTotal links are offered in the blog post.
Last year, SophosLabs researchers published a technical paper about ZeroAccess – a botnet which had managed to infect over its lifespan nine million PCs around the world, but was now one million computers strong and mostly based in the United States.
Like “Chameleon”, ZeroAccess earns money through click fraud (and it also has a sideline in Bitcoin mining) – we estimated at the time it was making almost $3 million per month.
Could Chameleon and ZeroAccess be related? We’d need more information from Spider.io to be definite about that, but there certainly seem to be similarities.
The good news is that Chameleon is said to be quite unstable, and causes regular crashes and computer slowdown – something which might alert users to there being a problem with their PC.
What is click fraud?
Click fraud is a type of crime that abuses pay-per-click (PPC) advertising to make money through fake or fraudulent clicks on ads.
PPC advertising is a very big industry on the internet. It is operated by large networks such as Google Adwords, Yahoo! Search Marketing and Microsoft adCenter and generates billions of dollars a year.
PPC works by a fee being paid when a link or ad is clicked. Typically advertisers (who have something they want to sell) place ads on website operators’ websites and pay the website owner a fixed amount each time the ad is clicked.
The advertising networks act as middlemen – the advertiser registers with the advertising network, the network places the ad on the publisher’s website and when a click happens the advertiser pays the network and the publisher.
Click fraud is the process of clicking an ad for the purpose of generating a charge without having any interest in the subject of the ad.
Money can be made by becoming an affiliate for the advertising networks and by pretending to be a publisher that is placing the ad on their website.
If a malicious actor can generate clicks on ads and get paid each time a click takes place then they can make money. If they can generate a large number of clicks without the advertising network realizing the clicks are fraudulent then there is potential to make a large amount of money. In many ways a botnet is ideal for generating a large number of clicks.
Further reading: The ZeroAccess Botnet:
Mining and Fraud for Massive Financial Gain
In all probability, Sophos products do already detect the “Chameleon” threat.
As ever, our advice is to keep your wits about you and your systems secure and updated.
That doesn’t just mean running an up-to-date anti-virus program – you should also ensure that you are installing the latest operating system patches, and security updates for other frequently exploited programs such as Java, Adobe Flash and Adobe Reader.
Thanks to James Wyke and Fraser Howard of SophosLabs for their assistance.
Chameleon image from Shutterstock.