With pay per click programs such as Google Adsense, there is another way to earn money from advertisers by building a scam where the money flows like this:
- The advertisers pay Google for clicks in the hope to sell something.
- Google has a bunch of publishers that own a website and run banners for them. Google pays (a high percentage) of the revenue to the publisher.
- Some of these publishers aren't honest, but Google (tries to) detects fraudulous clicks and suspends them, so they need to hide the additional clicks better.
- Somebody with a botnet generates the clicks from a few hundred machines and makes sure they look as innocent as possible. Keeps it a low profile while at it. Of course the botnet owner will want a share from the publisher.
Bottom line is that the advertiser pays in exchange for a bot visiting him.
It seems some bot operator left a website with both the bot's *.exe and the web based control panels wide open. An anonymous source sent us the URL.
While some of the *.exe's were detected pretty well, this one stood out [Virustotal results]:
AntiVir 126.96.36.199/20060514 found [TR/Drop.Small.ann.1]
Avast 4.6.695.0/20060512 found nothing
AVG 386/20060512 found nothing
BitDefender 7.2/20060514 found nothing
CAT-QuickHeal 8.00/20060512 found [(Suspicious) - DNAScan]
ClamAV devel-20060426/20060512 found nothing
DrWeb 4.33/20060514 found [Adware.IEHelper]
eTrust-InoculateIT 23.72.7/20060512 found nothing
eTrust-Vet 12.4.2207/20060512 found nothing
Ewido 3.5/20060513 found [Hijacker.BHO.d]
Fortinet 188.8.131.52/20060514 found [suspicious]
F-Prot 3.16c/20060512 found nothing
Ikarus 0.2.65.0/20060512 found nothing
Kaspersky 184.108.40.206/20060514 found [Trojan-Dropper.Win32.Small.ann]
McAfee 4761/20060512 found nothing
Microsoft 1.1372/20060513 found nothing
NOD32v2 1.1536/20060513 found nothing
Norman 5.90.17/20060512 found nothing
Panda 220.127.116.11/20060513 found [Suspicious file]
Sophos 4.05.0/20060513 found nothing
Symantec 8.0/20060514 found nothing
TheHacker 18.104.22.168/20060512 found nothing
UNA 1.83/20060512 found nothing
VBA32 3.11.0/20060513 found nothing
It is interesting to note that the botnet was 115 bots in size at the early time of the day I was looking at it and most were under 15 clicks each.
It's been reported to Google in order to make sure nobody gets paid.
Swa Frantzen - Section 66