The Google-employees Neil Daswani and Michael Stoppelman from the Click-Quality-Team published the inspection details of clickfraud-network which enables us to catch a glimpse of a department that is usually very publicity-shy.

They inspected the architecture and the behavior of the bot with the name “Clickbot.A” which had infected more than 100.000 computers. The implementation of the clickbot as a BrowserHelperObject (BHO) which latches onto the Microsoft Internet Explorer has the advantage that this way, they can access the whole browser-interface which eases the imitation of a real user. In comparison to the other Bots that were distributed until now, This one does not use the IRC-protocol to communicate with the network administrator anymore but, just as for the clicks, uses HTTP – this makes it easier to circumvent firewall and router.

When a new client is infected and the BHO has successfully registered with the Internet Explorer, it will be launched every time the browser is started. It will then report to the administrators server and receive a list with pseudosearchengines that are to be visited, including which keywords to search for. As far as Clickbot.A was concerned, the domains and keywords were predominantly housed in the erotic-sector, but also other areas with high click prices were affected. Seeing that the bot would request permission for every click from the administrator server, the click rates could be controlled well and could therefore generate “naturally” looking traffic.

It was estimated that this botnet could have caused damages in the range of 50.000 US-dollar – however, depending on the length of the operation, much higher sums could be possible. Interesting to note is that the authors mention that networks like this are not always closed down once invalid clicks are detected and therefore not compensated, but that in some cases they are kept running to gather informations about the operators or the software.