German Conficker B infection drives ‘Count in Fives’ ad fraud botnet

Count_Von_Count_Slider_Right_940x4001-250x250

Conficker, first uncovered in 2008, is one of the most resilient worms in existence. With no obvious intent beyond spreading and survival, we are seeing it on the rise again.

In a recent online ad campaign targeting a German audiance, we found evidence of botnet activity. The botnet was responsible for over 40% of delivered impressions. The underlying connection in the ad fraud mechanism turned out to be Conficker B:

infection_distribution

The campaign was a blind run, meaning that only the network has access to domain data. The evidence of ad fraud came clear when we found that the majority of impressions came in minute bursts divisible by five.

This means that the campaign either targeted fans of the band The Horrors, or we’re seeing a botnet.

To give you an idea of what would lead to such statistics, here’s an example from Trustwave, who uncovered the Bedep trojan in an ad fraud scheme:

Front websites for botnet operations look like any normal website, except it feels like uncanny valley. The content is too thin, and the whole thing is off. The stats check out in Quantcast and in Similarweb, making it difficult to call fraud when it is:

bedep

But if the bot visits this website through the appropriate referring link provided by the C&C server, it unveils itself as the delivery engine for ad fraud:

bedep2

This page runs in invisible browser windows in the background.

This behavior from the measurement side, shows up as spikes in impression delivery:

impressionsovertime

Spikes are normal – to a certain extent. These spikes are abnormal in the sense that they’re far too big and frequent. The underlying cause was a group of users generating 5+ impressions throughout the day. Take this example, a user generating 200 ad views within one minute:

botimpressions

And if we look at all these users through out the day, we see that they’re the ones responsible for the spikes:

botimpressionsminutes

 

Up to to four hundred per minute! To put that in to context, most campaigns we measure as clean only have a dozen of these types of users on a given day.

Within this segment, virustracker  identified most users as infected, mostly with Conficker B.

As always, we advise everyone who’s buying online media to:

– work with trustworthy partners

– use up-to-date ad verification

– Apply modern anti-fraud technology

to protect your budget. In this case, 40% of all impressions delivered in this campaign were by this “Count in Fives” botnet.

If you’re wondering about what sort of risk you might face against this particular threat, have a look at Shadowserver’s logs, which tries to keep track of Conficker infections:

180 day Conficker A+B population by Shadowserver

Notable countries are Germany, the UK, Czech Republic, Italy and Poland. Whether the local Conficker branches are used as a vehicle for ad fraud or not, time and measurement will tell.

Leave a Reply

Your email address will not be published. Required fields are marked *