Hidden click fraud botnet uncovered

Summary:Microsoft says that the Mevade botnet, which recently spiked traffic on Tor, is actually a variant on an older click fraud botnet that has been flying under the radar for 2 years

Earlier this month, a major spike in traffic on the anonymizing network Tor called attention to a botnet, named Mevade by researchers. Probably in error, Mevade caused a jump in traffic on Tor of almost 600%.

Mevade is a click fraud botnet, composed of hijacked PCs which send fake clicks through advertising affiliate networks in order to collect commissions.

The Microsoft Malware Protection Center (MMPC) has concluded that Mevade is not, as some supposed, a new family of malware, but a new generation of the what they call Win32/Sefnit, a well-known click fraud botnet that had been presumed inactive since 2011. Turns out Sefnit wasn't inactive, it was just so stealthy that it escaped detection since then. Microsoft isn't the first to tie Mevade and Sefnit; Fox-IT noted the connection weeks ago.

Who's behind it? Trend Micro's TrendLabs ties Mevade to a specific criminal gang operating out of Ukraine and Israel.

How does it infect systems? It seems to hide inside of other programs. TrendLabs says they have seen adware downloaded through the Mevade botnet. Microsoft says they have seen it silently install as part of an application called "File Scout", and there are strong indications that the same programmer(s) wrote Meade/Sefnit and File Scout.

Sefnit6-mevade-botnet-click-fraud
File Scout installer that silently installs Trojan:Win32/Sefnit as the same time. Credit: Microsoft

How did Mevade/Sefnit go off the radar for 2 years? The old Mevade used classic click fraud techniques: It loaded invisible page elements onto web sites, like Google, on which the user intended to click. Instead of going to the link the user intended, the browser goes through an affiliate network to a site which is similar. This is the old way, and it's obvious enough to the user that it gets noticed.

In 2011, Sefnit switched to a new technique, hiding its bots behind the open source 3proxy product. The bots generate the fraudulent traffic directly instead of involving the user, so the activity is not noticed. The traffic is also metered to be infrequent enough that the fraud detection software and people at the affiliates and ad networks don't notice it.

Sefnit3[2]
File Scout installer that silently installs Trojan:Win32/Sefnit as the same time. Credit: Microsoft

These techniques were sophisticated enough that Mevade/Sefnit went undetected until the Tor snafoo, and when it was detected it was presumed to be new.

Topics: Security

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.