Hidden click fraud botnet uncovered

Microsoft says that the Mevade botnet, which recently spiked traffic on Tor, is actually a variant on an older click fraud botnet that has been flying under the radar for 2 years

Earlier this month, a major spike in traffic on the anonymizing network Tor called attention to a botnet, named Mevade by researchers. Probably in error, Mevade caused a jump in traffic on Tor of almost 600%.

Mevade is a click fraud botnet, composed of hijacked PCs which send fake clicks through advertising affiliate networks in order to collect commissions.

The Microsoft Malware Protection Center (MMPC) has concluded that Mevade is not, as some supposed, a new family of malware, but a new generation of the what they call Win32/Sefnit, a well-known click fraud botnet that had been presumed inactive since 2011. Turns out Sefnit wasn't inactive, it was just so stealthy that it escaped detection since then. Microsoft isn't the first to tie Mevade and Sefnit; Fox-IT noted the connection weeks ago.

Who's behind it? Trend Micro's TrendLabs ties Mevade to a specific criminal gang operating out of Ukraine and Israel.

How does it infect systems? It seems to hide inside of other programs. TrendLabs says they have seen adware downloaded through the Mevade botnet. Microsoft says they have seen it silently install as part of an application called "File Scout", and there are strong indications that the same programmer(s) wrote Meade/Sefnit and File Scout.

File Scout installer that silently installs Trojan:Win32/Sefnit as the same time. Credit: Microsoft

How did Mevade/Sefnit go off the radar for 2 years? The old Mevade used classic click fraud techniques: It loaded invisible page elements onto web sites, like Google, on which the user intended to click. Instead of going to the link the user intended, the browser goes through an affiliate network to a site which is similar. This is the old way, and it's obvious enough to the user that it gets noticed.

In 2011, Sefnit switched to a new technique, hiding its bots behind the open source 3proxy product. The bots generate the fraudulent traffic directly instead of involving the user, so the activity is not noticed. The traffic is also metered to be infrequent enough that the fraud detection software and people at the affiliates and ad networks don't notice it.

File Scout installer that silently installs Trojan:Win32/Sefnit as the same time. Credit: Microsoft

These techniques were sophisticated enough that Mevade/Sefnit went undetected until the Tor snafoo, and when it was detected it was presumed to be new.