Inside A Botnet: Athena and Ad Fraud
One of the most prevalent forms of waste and fraud in today’s digital ad ecosystem is from botnets. A botnet is a network of computers infected with malware and controlled without the user being aware, typically for nefarious activities including various forms of digital ad fraud.
To share with you some additional insight as to how botnets are used to create invalid traffic and ad impressions, let’s take a deeper look at the Athena botnet. Like other botnet codebases, Athena software was developed to control and manage a collection of hacked machines. The widely used Athena codebase was leaked in September 2013. Security vendors quickly detailed the botnet's inner workings (e.g., see here and here). However, because none of the write-ups discussed the impression fraud modules that were included in the codebase, I wanted to take the opportunity to fill that knowledge gap. Beyond its availability, Athena was selected as a good example of an impression fraud threat that can easily evade methods such as viewability checks and IP blacklists.
Athena has two primary components: 1) infection software that connects victims to the botnet command and control channel, and 2) a management interface for directing the infected machines. Athena does not address delivery or obfuscation of the exploit code. It simply supplies control mechanisms after machines are infected. The collection of infected machines reporting to a given URL is a botnet. The HTTP-based communication includes initial bot setup, bot status updates and dispatching tasks. Besides overseeing bots, the command and control machine hosts a web portal which allows botmasters to direct the botnet.
I created a lab environment to study the behavior of Athena’s advertising fraud mechanisms. To do this, the LAMP stack was installed on the command and control box, the management panel was copied into /var/www, and Athena's setup scripts configured the database. Accessing http://localhost/login verified that the portal was working correctly. The next step was to create the windows executable that connects machines to the botnet. The Athena builder program accepts several parameters (one of which is the URL of the command and control machine) and outputs an exploit executable. The final step is recruiting victim machines into the botnet. This is as simple as running the exploit executable on a collection of windows installations. The exploit process removes the executable and a short while later that machine will appear in the portal's botlist. After a couple of hours work, a botnet has been assembled and is ready for experiments.
The botmaster's management interface offers much of the same functionality as other modern management interfaces, including an effort towards user experience and human factors engineering. With no technical expertise the botmaster can control every aspect of the botnet from this interface. For example, the management interface supports multiple accounts each with their own set of permissions. It reports real-time statistics about the status of the botnet. Botmasters can use the interface to manage the queue of commands that will be delivered to drones to execute. The UI also enables command execution progress to be tracked.
Issuing commands to the botnet is accomplished by using the “Create Command” page. Each command has a set of specific parameters. For example the Download & Execute command has a URL parameter that requires the specification of a URL of code to run. Finally, the filters section is used to specify which bots will be issued the command. This allows commands to be sent to the subset of bots that meet a specified set of requirements. I will focus on advertising specific commands, but here is the full list of commands (note that distributed denial-of-service commands have their own tab):
The first two impression fraud commands are View and View Hidden. These have identical results except for their appearance on the infected machines. The View command will open an Internet Explorer instance (even if another browser is the default) and browse to the given URL. Hidden View also uses Internet Explorer to load the URL, but the instance of Internet Explorer is hidden from the desktop (and the infected machine's users). This allows the botnet to load webpages without the risk of indicating infection with unexpected browser windows. Once the View command is created it is entered into the queue of active commands. The next time each bot phones home, the bot will receive the command and immediately view the specified URL a single time. This has the effect of driving an unwilling audience of infected machines to the URL of the botmaster's choosing.
SmartView is an incremental refinement to the View Hidden command. It adds randomness to the opening and closing of the hidden window. It requires two parameters that specify how long to wait before opening the URL and how long to keep the page open respectively. After the command is issued, the bot selects a random number up to Opening Interval and waits for that many seconds before viewing the page. In the same way the bot selects a random number up to Closing Interval in order to determine how long to keep the page open. This allows the impression views to appear slightly more “organic” and to better imitate human behavior, since each bot has the page open in a slightly different period.
Athena's distributed nature combined with its use of local browser instances makes it a formidable threat for standard viewability detection methods. Since the source IP addresses of the fraudulent views are derived from the live but infected machines in the botnet, the effectiveness of IP blacklists will be limited. Also, the infected user's installation of Internet Explorer is used including the user's history, cookies, and profile. This means that a user with a long history of conversions and a well-defined profile could be inadvertently driving fraudulent views alongside their normal Internet usage. The implication is that many different versions of Internet Explorer and plug-in configurations will be seen at the target URL rendering simple User Agent filters ineffective. Finally, views delivered from the Athena botnet are 100% viewable. The page geometry calculation shows any above the fold impressions within the browsers viewport and viewable.
Learn more about Comscore NHT triple detection.