Dissecting Clickbot.A

By the way, if you think botnets are intriguing, you’ll enjoy this post by Google software engineer Neil Daswani. It’s about a recent USENIX paper (PDF link) in which Neil and other Googlers talk about Clickbot.A, which was a bot that clicked on Google ads last year.

The high-order bit is that “Google identified all clicks on its ads exhibiting Clickbot.A-like patterns and marked them as invalid,” but you may want to read the full paper if you’re interested. At the end, they even show one version of the source code of the botmaster. The attacker apparently left a backup file lying around, so you can see that functions are named things like “ThisIPIsClick()”. I thought the paper was a fun read.

17 Responses to Dissecting Clickbot.A (Leave a comment)

  1. JohnMu

    I loved it. VERY interesting.

    As a normal blogger, Matt, how many similar systems do you feel are currently running undetected?

    The content network seems to attract the strangest things (and even the search network also has some really “spamy-feeling” search sites that I can’t opt out of).

  2. JohnMu, luckily all I have to worry about is webspam, so that’s outside my area. But my understanding is that Google uses a number of things (SmartPricing, site exclusion) to give advertisers tools to help avoid this being an issue. I think that the ability to block IP addresses is on the way, too.

  3. Matt —

    Curious — do you know if the Google folks noticed the ClickbotA (from its clicks) before the Panda folks noticed ClickbotA (from its the trojan spread)?

    Also, you mention “source” above — wasn’t it all PHP, or did I misread the report?

    Kudos to you all for the transparency on this —

    Alan

  4. Alan Rimm-Kaufman, I don’t know, but I’ll try to find out. You’re right that the botmaster source was PHP source code. I think the Clickbot.A client was a Windows binary, but I’m not sure.

  5. Johannes

    Clickbot.A was a Browser Helper Object for Microsoft Internet Explorer. Same like the Googletoolbar 🙂

  6. Alan,

    I was one of the authors of the paper. The source we released was for the php bot master. Matt’s previous comment is correct, there was a seperate binary that installed into IE as a BHO (Browser Helper Object). I hope that helps clear things up.

    -M

  7. Michael, thanks for stopping by! I really enjoyed the paper — thanks for publishing it, and hope you’re doing well. 🙂

  8. Matt, Michael and Alan: thanks for the analysis and the commentary on the analysis. Fascinating stuff: for me it was a shock that click fraud was this sophisticated and that the fraudsters were this cunning.

  9. Is there any way to detect javascript clickbots? I run an advertising website (traffic exchange), and the trend now is to hide javascripts into pages that have paid to search portals on them. The javascript then has some way of making the visitor “click” on a random ad at random intervals. I haven’t seen it done on adsense yet, but since adsense isn’t allowed on traffic exchanges that would probably be why.. Any tips on finding them with a php script would be great, they are causing lots of havok for me..

  10. Tim: where are the JS clickbots? On pages you control? If yes, then it would be pretty straightforward to ‘detect’ them using PHP.

  11. Robin,

    These types of attacks have been occurring for years. You can find
    out more information about botnets from Gadi Evron at the
    securiteam.com site.

  12. Hi Matt. While not quite a “fun” read, it was an interesting paper. This sentence, however, struck me as a little odd: “It is important to note that in a Clickbot.A-type attack, top-tier search engines would not pay miscreants directly.” Whether or not Google pays the “miscreants” directly, Google is culpable. Google (and Yahoo!) need to monitor and manage their syndication partners more effectively.

    BTW, was the attack on the AdWords Search network or the Content network? Anybody know?

  13. Interesting read. Now how about the scenario where a rival runs a click bot on another rival? This in effect forces a denial of adsense revenue from a site that had nothing to do (but was receiving revenue) as a result of the click bots?

    The aim of the attacker was to force google to cancel or suspend the rival (victim/recipient of adsense clicks).

    If you were the victim, how would you respond to this? How do you protect yourself against such an attack?

  14. Hi Matt, I was curious if you (or anyone else) knew of other companies besides Panda software that might be instrumental in click fraud detection and deterrence?

  15. William Gallahue

    Matt,

    I have noticed a disturbing trend with a site I manage (which advertises some of the more expensive keywords in PPC). I believe a competitor is using bots to traffic google.com, click on our ads, and fill out our forms with information it is pulling from a yellow pages site. Furthermore since it traffics google.com and not a 3rd party site it appears legit and we cannot try and write up any kind of complaint.

    After clicking to our site, they appear like genuine inquiries but when we check visit history we know they are a bot because they all exhibit a common behavior pattern on the site in terms of visit history.

    I called an Ad rep and spoke to her at length about my problem but the best she could tell me was to submit logs and data and fill out an online form. Google doesn’t need to know my trade secrets and conversion data but I’m bleeding money.

    As an expert 1) Have you heard of this? 2) How can I address this without disclosing trade secrets? (Google doesn’t share any of their click data so I see no reason to share mine)

  16. Interesting paper, but it adds nothing to the discussion of bot nets or Clickbot.a in particular. Aside from repeated assertions that “all clicks had been detected by Google”, there is really nothing here to indicate that Google knew about this prior to Panda’s announcement, nor is there anything here to indicate how Google knew about a low level attack.

    Clearly, the attack was on the adsense network as there is no financial incentive to defraud the search network (beyond competitive reasons which are unlikely to motivate a hacker).

    The motivation and opportunity to defraud the content network on Google or any other content network remains. Fraud, therefore, will continue until the motivation is removed. Plain and simple.

  17. It appears Adsense believes one of our sites may have had a click-bomb attack of some kind (even though I feel the heavy trarffc could have also been legit involving a marketing or typo error by Bing search engine when they used my URL in their advertising). However, with that said, and even if invalid traffic is correct, why would Adsense issue a lifetime ban a good publisher (with an excellent record of not getting invalid traffic) and his 2,000 active websites plus 8 years longevity and confiscate all the hard-earned income, including the fully legitmite and undisputed revenues from all the sites not under scrutiny? We can’t talk to Adsense since they told us no more appeal or communicatios are allowed. Not a very nice way to treat someone who has given Google Adsense and its Adwords advertisers millions of dollars in business with no problems until now over all that time and all those sites!

css.php