A botnet, initially run through compromised servers in the Bahamas, has been blamed for the recent upsurge in scareware scams.
Researchers from security firm Click Forensics have tied the Bahama botnet to a recent attack that resulted in pop-up ads punting rogue anti-virus software appearing via the New York Times website. The scam attempted to trick surfers into purchasing software called Personal Antivirus by falsely warning that their systems were infected with non-existent threats.
Personal Antivirus, far from offering a clean-up utility as advertised, infected compromised systems with a Trojan. Click Forensics said this Trojan is distributed by a gang of cybercrooks in the Ukraine called the Ukrainian fan club, who are also heavily involved in click fraud.
"We believe the Bahama botnet is controlled by this same gang, or their neighbors down the street," Click Forensics reports. "We’re pretty sure the Bahama botnet is related to the Ukrainian fan club and the NYTimes.com scareware because they each phone back to a bogus 'Windows protection' domain located on the same IP address."
Compromised hosts in the Bahama botnet generate auto-generated clicks as part of a click fraud scam that offers an additional income for crooks. This click fraud traffic is carefully designed to elude detection by search engines and ad networks by mimicking genuine searches. "The botnet is effectively disguising the fraud it produces as 'good traffic' by altering the interval and breadth of the attacks across legions of infected machines," Paul Pellman, chief exec of Click Forensic, explained.
Click Forensics first detected the Bahama botnet when they discovered it was redirecting traffic through 200,000 parked domain sites located in the Bahamas. Since then the zombie network has been reprogrammed to redirect traffic through other intermediate sites hosted in the Netherlands, US and the UK. The click fraud carried out by the botnet is explained in more detail in the video (below).
More on the Ukrainian "fan club" and its involvement in the NYT malvertisement campaign can be found in a blog post by independent security researcher Dancho Danchev here. ®