Massive Chameleon botnet steals $6M per month from advertisers

Web traffic analytics firm spider.io has discovered a massive botnet that emulates human visitors in order to earn its master(s) over $6 million per month from online advertisers.

Dubbed Chameleon, the botnet numbers over 120,000 hosts located in the US, running Microsoft Windows and accessing the Web through a Flash-enabled Trident-based browser that executes JavaScript.

“Chameleon is a sophisticated botnet,” the researchers shared. “Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions.”

The company has been tracking the botnet since last December, searching for specific patterns typical of this bot activity, such as crashing and restarting regularly, targeting a specific cluster of 202 websites, simulating the visitation of a number of web pages across a number of websites, and so on.

Apart from its obvious sophistication, the botnet is also notable for the amount of money it generates for its master(s), and for being the first one spotted to affect display ad advertisers instead of text link ones.

Every month the botnet has been serving at least 14 billion ad impressions, using at least 7 million distinct ad-exchange cookies, exchanged after each bot crash.

“Despite the sophistication of each individual bot at the micro level, the traffic generated by the botnet in aggregate is highly homogenous,” the researchers pointed out. “All the bot browsers report themselves as being Internet Explorer 9.0 running on Windows 7. The bots visit the same set of websites, with little variation. The bots generate uniformly random click co-ordinates across ad impressions and the bots also generate randomized mouse traces.”

Spider.io has compiled a blacklist of 5,000 IP addresses of the worst bots participating in the Chameleon botnet.