Slashdot Mirror
Bahama Botnet Stealing Traffic From Google
itwbennett writes "'As part of its design, the Bahama botnet not only turns ordinary, legitimate PCs into click-fraud perpetrators that dilute the effectiveness of ad campaigns. It also modifies the way these PCs locate certain Web sites through DNS poisoning,' explains Juan Carlos Perez in an ITworld article. 'In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box. It's not clear where the Canadian server gets these results. What is evident is that the results aren't 'organic' direct links to their destinations, but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains, some of which are in on the scam and some of which aren't.' 'Regardless, CPC fees are generated, advertisers pay, and click fraud has occurred,' Click Forensics reported on Thursday in a blog posting."
Related: Techcrunch reports on a massive Chinese click-fraud ring controlling 200,000 IP addresses.
And microsoft doesn't want to let everybody download the new "Forefront" ... hmmm
Because having retailers pay for ads that will never generate sales is the only way to make them realize that it's not worth it to advertise in the first place.
As an aside, I'm looking forward to the new US blog rules that go into effect in a month that state bloggers need to say if they are getting paid to promote a product.
n/t
Are clicks still being sold? It is not interesting how many visits you get, but how many items are bought. So companies don't want visitors, they want customers. The salesmen I encountered were never interested in clicks, but were interested in "ad provision".
Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
How come we've not heard any statement from Google? Are they on top of this?
It's almost like saying in New York, "We hand out these stickers with the free-phone number of our store to you, and we will pay $1 for every call the number gets". There's a grillion ways you can achieve a lot of calls to a number. If I was a CEO, I would question the budget line for "click-financing" a lot.
captcha: vibrator
It's a nifty trick, but we should still dispatch ninja's to assassinate the people who wrote it. At this point I consider "death by ninja" to be the only hope I have of reducing the memory and CPU usage footprint of my AV software.
Is there any way I can send money to the writers of the Bahama botnet? I can't think of anything I want more on the Internet than something which reduces the viability of online advertising and takes traffic away from its major broker, Google. The web has reached the stage where almost everyone is a "content" producer, so while almost all of that content has no value (or is a pale imitation of content with value), because everyone now has an interest they refuse to admit just how worthless most of the web is. The primary reason for that worthlessness is that content is produced as a vehicle for selling advertisements, rather than content being provided on its own merits. This applies from the biggest conglomerate to the lowly blogger.
This is just one example of how easily protocols can be subverted on the Internet. I don't feel bad for the people that are unknowingly facilitating criminal activity on the Internet. They are not victims they are a big part of the problem. Just as ignorance of the law is no excuse for breaking it ignorance should not be an excuse for underestimating the dangers of participating as a user on a public, untrusted, network (uhhhmm the Internet).
The way these black-hat crackers are subverting the system is nothing new. It boils down to a simple man in the middle attack. I wouldn't be surprised if the Google search engine results that the OP stated that he didn't know where they were originating from didn't originate from Google. Google is likely profiting from this interaction as well. If someone can get in front of you and your destination (likely they have put themselves between you and the rest of the Internet community) then they can assume the identity of any content that you receive. So, if it Root DNS Servers and certificate authorities so they can phish your private information or increase someone's click revenue, as described in the OP, the fact remains that the ignorant pawns in this overt act are partners in the conspiracy.
If you are stupid enough to keep paying for clicks that don't land fruit then you deserve to loose your money. It's just bad business.
The more that people are reminded that the Internet is a no man's land and paying your $50 a month doesn't provide you any protection from the nefarious subculture that exists in every aspect of human interaction (including the Internet) the better. Hopefully pawns will wake up and realize that they need to take responsibility for their security and that of others (if you are a upstanding individual). Plus security is a reactive function. If nobody had ever started sniffing packets in efforts to steal private information we likely wouldn't have encrypted certificate signed HTTP today. This kind of activity will lead to further security enhancements though I don't think society should ever let their guard down because regardless of how tight security gets there will always be someone out there that can subvert it. The war is over, but the battle never ends.
Yeah...
Nick Powers
Encryption: I may not agree with what you say, but I will defend your right to encrypt it...
I've run across this beast before. Being Canadian, and used to all this crap being hosted in Russia, China, and various other places like that, imagine my surprise when I found the hosts file redirected all Google searches to a webhost in Ottawa.
However, it might be somewhat easy to detect. When you try to log in to Google, Youtube, or any other Google service, the browser throws a security warning, because the secure Google login website is using a self-signed certificate.
Although this may only apply after the active component of this malware is removed....I'm not sure. Didn't try to log in to Google before removal to try, because I didn't realize what I was dealing with a the time....
"City hall" in German is "Rathaus" Kinda explains a few things......
> "What is evident is that the results aren't 'organic' direct links to their destinations, but are instead masked cost-per-click (CPC) ads that get routed through other ad networks or parked domains,"
Well, this should be the easiest bust in the world. It's not often that the accomplices to a crime are literally *advertising* themselves. Go down the list of every CPC advertiser and bust them. They can claim they were not 'aware' of any wrongdoing, and that of course will be irrelevant in the eyes of the law.
This seems cut and dry from a prosecution perspective.
------ The best brain training is now totally free : )
Comment removed based on user account deletion
So how do you remove this virus?
'In the case of Google.com, compromised machines take their users to a fake page hosted in Canada that looks just like the real Google page and even returns results for queries entered into its search box."
Oh noes... I go to www.google.ca all the time!
In my experience working with various advertisers, the problem is mainly not with Google or Yahoo who act on click fraud but their second-tier competitors like Miva, looksmart, etc who basically would go broke if they prevented click fraud.
How it works is that the scammers set up affiliate accounts with the above ad networks and then the botnet (or other means) is used to direct clicks through affiliate links to genuine ads, thus defrauding the advertisers. In most cases they redirect clicks intended for another purpose, so the advertiser's website which eventually appears to the victim is generally unwanted. I know this due to hate mail accusing our company of perpetrating this on purpose. The links look somewhat 'real' on your logs due to the wide geographic spread of IP addresses, but this traffic can be easily identified by the fact that the real people on the hijacked computers *never* buy.
Unfortunately the only solution is to not use Google and Yahoo's competitors, the net result of which is to reduce competition in a very bad way.
In theory, there's no difference between theory and practice; in practice there is.
>>Maybe the FBI is looking at the ICANN and the ICANN is looking at the FBI and wondering why the other one isn't doing anything.
Dude, your FBI might do something but hell will freeze over before ICANN starts policing their registrar's customers. Hell they are slow to act even when it is clear one of their accredited registrars is stealing the public blind..
"I Can't" would be a better name imho
To resolve the issue if you have been infected, blow out the contents of the Hosts file.
c:\windows\system32\drivers\etc\hosts
delete the junk contents where google, bing & yahoo are pointing to International sites or to your local computer’s IP.