This is the second part of a two-part series on browser hijacking. The first part may be found here.
Not all traffic brokers are as unscrupulous as Onwa Ltd. Legitimate traffic brokers, however, have to be fooled into thinking that they are dealing with a legitimate party. To do this, rogue traffic brokers like Onwa Ltd. often set up a website that suggests that the broker has been running a legitimate business for a long period of time. Fake search websites are set up. These fake search websites are supposed to drive real user traffic whereas, in reality, these only form intermediary steps for click-fraud from botnets.
As these fake search engines do not get normal visitors and as advertisers may notice this, their Alexa rankings are sometimes artificially increased. This is done by bots that automatically access Alexa URLs that determine the number of visits to a site. In addition, rogue traffic brokers often split up fraudulent traffic into smaller parts so that it looks like the traffic is coming from many different sources whereas, in reality, the vast majority of the clicks come from only a handful of botnets. If an upstream traffic buyer detects fraud, the rogue traffic broker can put the blame on a rogue affiliate and can filter one of the feeds. The cybercriminal group will thus lose only a small part of its revenue instead of losing everything.
Browser hijackers are a noisy type of malware. Victims will soon notice that something is wrong once they see unexpected redirections. Therefore, the average life expectancy of the bots is relatively low. Figure 1 shows the life expectancy of a single bot based on historical data we were able to collect. In this case, the life expectancy of any single bot typically fluctuates between 6 and 12 days.
To keep the size of the botnet intact, the bot herders need to constantly infect new systems. Figure 2 shows the number of new systems added to the botnet discussed here every day. Tens of thousands of new systems are infected daily. More than 2 million computers have been infected with the browser hijacker so far this year and we expect this number to reach 4 million by the end of this year.
The browser hijackers we have been looking at come with an additional DNS changer component that changes a system’s DNS settings to point to foreign servers. The DNS servers used are hard-coded into the malware. We found that every day, the gang spreads a new malware sample that changes systems’ DNS settings to a unique pair of foreign servers.
These servers start to resolve domain names to malicious IP addresses only after a machine has been infected for about a week. We believe that this is an attempt to extend the life span of the bots. When the browser hijacker component is removed from an infected computer, the DNS changer may still be present so the bot can still be used to hijack traffic with DNS tricks. The life span of the bots thus gets significantly enhanced.
We expect browser hijackers to become more advanced and resilient in the future. Advanced tricks like replacing legitimate ads with foreign ones already exist today. The botnet discussed in this blog replaces Double Click ads with Clicksor ads once the rogue DNS component is activated. This is a form of stealth click-fraud that is difficult to detect on Double Click’s part. However, in this case, we believe there is no intermediate party between Clicksor and the cybercrime gang. We believe Clicksor should be able to detect this fraud. However, if rogue middlemen are used, detecting this becomes much more difficult.
For users concerned about browser attacks, our free tool—Trend Micro Browser Guard—can be downloaded from http://free.antivirus.com/browser-guard/.