The Good, The bad & The Ugly: The Advertiser, the Bot & the Traffic Broker

Presented at VB2016, Oct. 7, 2016, noon (30 minutes)

In recent years, online advertising fraud has become the prevalent monetizing strategy for botnets. It is a growing concern for the advertising industry as it threatens the business model of numerous websites, with losses to this kind of fraud estimated at $7 billion per year. Despite the fact that some of this malware, such as Boaxxe/Miuref and Ramdo/Redyms, have been operating for years and have been well documented, they continue to be able to defraud the advertising market. Accordingly, a better understanding on how they operate and new strategies for fighting them are needed.

In order to extract money from the advertising market, botnet operators sell their traffic to ad networks. The practice of buying and reselling traffic, i.e. arbitrage, is a common practice in the online publicity market, and therefore many intermediaries can appear between the botnet and the final advertisers. Thus, identifying the ecosystem formed by all the intermediaries is fundamental in order to find efficient strategies to mitigate this phenomenon, in a manner that is more effective and permanent than traditional malware detection and botnet take-downs.

In this paper we present the methods we have introduced and used to map this ecosystem. We detail how to reconstruct click-fraud redirection from network traces captured on malware-infected machines, a non-trivial technical problem. We will also explain our method for reconstructing the graph of intermediary actors in this ecosystem from these redirection chains.

Finally, we present the results of our study on the click-fraud malware Boaxxe/Miuref and Ramdo/Redyms. We compare the two ecosystems and show there are several important actors present in both of them. In particular, we will point out one particular Solution-as-a-Service ad network provider that seems to be the main actor in the two ecosystems, along with some other ad networks. This shows that an ecosystem disruption effort targeting few selected actors, by legal, technical or marketing means, could severely affect more than one malware family and could thus help reduce global click-fraud activity.

Presenters:

• Pierre-Marc Bureau - Google
  José Fernandez José M. Fernandez is an Associate Professor at the École Polytechnique de Montréal. There, he leads the Laboratoire de Sécurité des Systèmes d'Information (SecSI) where he conducts research on computer security.
• José Fernandez - École Polytechnique de Montréal
  Antoine Lemay Antoine Lemay is a researcher in the Department of Computer & Software Engineering at the École Polytechnique de Montréal, in Canada. His research interests include the security of industrial control systems, critical infrastructure protection, cybercrime ecosystems, and cyber conflict.
• Antoine Lemay - École Polytechnique de Montréal
  Pierre-Marc Bureau Pierre-Marc Bureau is a software developer at Google. In his position, he analyses and investigates malware in order to identify effective techniques to counter these threats. Prior to joining Google, Pierre-Marc Bureau worked on malware research with Dell SecureWorks, and ESET. Pierre-Marc Bureau finished his Master's degree in computer engineering at École Polytechnique de Montréal. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including REcon, BlackHat Europe, Hack.lu, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.
• Joan Calvet - ESET
  Joan Calvet Joan Calvet is a malware researcher working at ESET, where he is mainly involved with in-depth malware investigations. He defended his Ph.D. thesis in 2013, and has spoken at security conferences such as REcon, Virus Bulletin and DeepSec.
• Matthieu Faou - École Polytechnique de Montréal
  Matthieu Faou Matthieu Faou is a graduate student in the Laboratoire de Sécurité des Systèmes d'Information (SecSI) at the École Polytechnique de Montréal, in Canada. His research interests focus on malware and especially on click fraud.

Links:

• https://www.virusbulletin.com/conference/vb2016/abstracts/good-bad-ugly-advertiser-bot-traffic-broker
• https://www.virusbulletin.com/uploads/pdf/conference_slides/2016/Faou_Calvet_Lemay+Fernandez_Bureau-vb-2016-the-good-bad-ugly.pdf

Similar Presentations:

• DeepSec 2014 „Do you want to know more?“ / Trap a Spam-Bot for Fun and Profit
• ShmooCon XIII (2017) / A Nickel Tour of the Ad Fraud Ecosystem
• DEF CON 23 (2015) / The Bieber Project: Ad Tech 101, Fake Fans and Adventures in Buying Internet Traffic