Methbot advertising botnet brings $ 3- $ 5 million per day to its owners

There are many botnets in the world, among them there are both frankly unsuccessful (if this word is applicable in this case) botnets, and systems that can be called a work of art. In addition, the goals of botnet developers are very different. The most common goal is to make money.

The developers of the farm bots Methbot managed to create a real money machine that brings its owners several million US dollars a day. The first to discover this botnet were White Ops specialists, who analyzed its work. According to experts, the botnet belongs to the hacker group AFT13, which is considered Russian.

Botnets often specialize in advertising. The developers of such systems in various ways infect users' PCs with malware, which provides clicks and ad views, which brings the creator of such a system, sometimes, very good sums. To the botnet developers in question, it seemed like not a good enough idea to infect users' PCs. They decided to work with "dead souls", that is, fake users.
')


After a detailed analysis of the botnet, it turned out that the infrastructure created by cybercriminals includes about 800-1200 servers. They are located in the data centers of the United States and the Netherlands. Attackers have a base of more than half a million IPv4-addresses. These addresses are geographically referenced to the United States. Such a volume of real addresses, according to various estimates, can cost about $ 2– $ 4 million.

So, the authors of Methbot work according to the original scheme: they use the substitution of the addresses of their own sites. First, the bot automatically selects the domain or the address from the list of premium publishers. After that, in the same automatic mode, a fake page is created, where there is everything necessary for generating advertisements and video ad requests from various ad networks. Advertising bot handles during the simulation of the browser through a proxy. In this case, as already mentioned, techniques are used to help the botnet simulate the work of a regular user.

The bot itself is different from other similar projects by a developed, but well-hidden infrastructure. Apparently, the developers have long implemented their plan, where the first stage is the deployment of infrastructure with its simultaneous concealment. This bot farm works with Node.js and a number of open source libraries. This allows attackers to imitate the browser. In order to avoid detection by security systems, a botnet simulates the work of various browsers and operating systems. In addition, the system skillfully simulates the movement of the mouse cursor, clicks, network activity so that the protection of advertising systems does not work.



Most botnet creators earn on premium video ads, which are "viewed" by fake users of the most expensive click-through regions.

Now not only the partners of the company that discovered the botnet, but also the FBI are involved in the investigation of the situation.