The Chameleon botnet continues to steal millions of dollars from online advertisers through fraudulent clicks made by malware.
First discovered in late February, researchers at British-based Web analytics firm spider.io say more than 120,000 Microsoft Windows machines — the overwhelming majority tied to U.S. residential IP addresses — are infected with malware that targets display ads on some 202 Web sites. The company says this has resulted in 9 billion of 14 billion monthly ad impressions coming from the botnet accounts. Because of how advertisers pay for online display ads, it amounts to roughly $6 million a month in false ad views that advertisers are paying Web site owners.
Chameleon gained prominence after the Bamital botnet was taken down by Microsoft and Symantec on Feb. 6. And while it’s sophisticatedly designed to mimic normal browsing behavior, including running a mouse over display ads, to avoid detection, it also tends to overload host machines, causing them to crash and restart regularly – a clue it may be time to scan for the malware.
“Each bot often masquerades as several concurrent Web site visitors, each visiting multiple pages across multiple Web sites. When a bot crashes the concurrent sessions end abruptly; upon restart the bot requests a new set of cookies. These crashes and idiosyncratic site-traversal patterns are just two of the many bot features that provide for a distinctive bot signature,” according to a blog post.
Additionally, the traffic generated by the botnet looks similar since it all is directed at the same Web sites with little variation.
“All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7,” the researchers said. They also list 5,000 IP addresses associated with the worst of the Chameleon bots that can be blacklisted as a mitigation tactic.