Spider Locates Chameleon Botnet Munching On Click Fraud Revenues
March 20, 2013

Spider Locates Chameleon Botnet Munching On Click Fraud Revenues

Enid Burns for redOrbit.com — Your Universe Online

UK-based Spider.io has identified the Chameleon botnet, a network of over 120,000 compromised machines in the United States. Spider.io, an organization that identifies and measures human website activity and was formed at the Imperial College of London, estimates the botnet costs advertisers roughly $6.2 million a month for ad impressions served to infected computers.

The Chameleon botnet is not the first of its kind. Microsoft and Symantec took down the Bamital botnet on February 6. The two networks are somewhat alike, as both have cost online advertisers millions of dollars. Spider.io says the Chameleon botnet is distinctive because of the size of the financial impact. At totals of $6 million per month, Spider.io estimates it is at least 70 times more costly than the Bamital botnet.

The Chameleon botnet is also the first botnet found to impact display advertisers at this scale. Most botnets go after text-link advertisers. Display advertising can be difficult to break through. Advertisers and networks use algorithms to target ads on appropriate websites and to appropriate Internet users. "For the Chameleon botnet to evade detection and impact display advertisers to the extent that it has required a surprising level of sophistication," the report states.

Spider.io first began to track the botnet in December and studied its activity while it determined the scope of the network and how to take it down. Spider.io determined the Chameleon botnet ran on host machines with Microsoft Windows as the operating system. Bots accessed the web through a Flash-enabled, Trident-based browser running JavaScript. Over 120,000 host machines were identified; 95 percent of the infected machines were from residential computers in the US. The highest concentrations were found in California and Texas. The Southwest also had the highest concentrations of computers on the Chameleon botnet.

The botnet was able to evade fraud detection by constantly moving the mouse icon on the page when surfing. It constantly runs multiple, concurrent sessions per visitor, and it automatically reboots itself when a slave session crashes. The network focused on 202 websites, Spider.io identified. The 202 websites account for 14 billion ad impressions per month. "The botnet accounts for at least 9 billion of these ad impressions. At least 7 million distinct ad-exchange cookies are associated with the botnet per month," the report said. "Advertisers are currently paying $0.69 CPM on average to serve display ad impressions to the botnet."

"Unlike most botnets discovered in the past, which have been used to send spam and host illicit pharmaceutical or phishing sites, Chameleon targets a couple of hundred sites which carry advertising -- and make up 9 billion of the 14 billion ad impressions on those sites each month," an article on the Guardian´s UK website said.

The motivation for the Chameleon botnet is unclear. The Guardian UK article quotes Douglas de Jager of Spider.io, "The financial motive may be that 'owners of websites typically receive 55 - 65 percent of the money spent by advertisers to serve display ads on their respective sites. Ad networks typically receive about 30 percent of the money spent by advertisers.'"

Site publishers and ad networks are not named as the culprits. "But he declined to name any of the publishers being targeted by the bots, because they might be the targets of a scam run from outside - or, he suggested, ℠it could even be a single person within one of the companies, unbeknownst to others at the company.´"