Xpaj Botnet Intercepts 87 Million Web Searches In Click-Fraud Scheme

Symantec Security Response researchers said Friday they recently uncovered the file-infector W32.Xpaj.B botnet, also known simply as Xpaj, by digging up command and control servers containing encrypted binary data, encryption keys, databases and Web applications used in conjunction with a widespread click-fraud scheme over the last several months.

Kevin Haley, director at Symantec Security Response, said that what made this click-fraud botnet unique was that it contained stealth code that enabled it to hide itself in an infected file to avoid detection.

It also avoided infecting specific domains, such as .mail, .gov and .int, as well as domains registered in several Eastern European countries, likely “to stay out of the view of law enforcement and the U.S. government,” Haley said.

“Stealth was more important than efficiency,” Haley said.

Like most botnets, Xpaj sent download requests to specific command and control servers. During an attack, infected executables from the Xpaj botnet initially gained access to the computer and spread through shared drives, before downloading encrypted binary data.

Once the binary data was executed, the malware monitored the user’s Web traffic with the intention of intercepting any searches or clicks. The intercepted data was sent immediately the command and control server. The command and control server then responded with a Web address sent to affected users, which subsequently redirected them to an advertisement without their consent. As with the majority of click-fraud scams, cyber criminals subsequently were paid by the advertiser once the user clicked on the advertisement.

Researchers found that the command and control servers received clicks, which were stored in log files and copied every 12 hours to a central server. The central server then processed the data by extracting the number of searches, click and amount earned per click from the collected data.

Haley also said the findings were unusual in that the research team was able to get its hands on the command and control server, which revealed key data that enabled them to see how much money the cyber criminals were making, as well as the number of clicks, and dollar amounts.

“We don’t really get that kind of insight very often,” Haley said.

Thus far, the scheme has been responsible for intercepting around 87 million searches between September 2010 and June 2011, averaging between 11,000 and 25,000 connections per day that resulted in the interception of about 241,000 searches per day.

Based on data analyzed from the server, researchers estimated that the scheme grossed the cybercriminals around $46,000, with a high range of $62,000, per year.

Haley said that while 87 million intercepted Web sites appeared significant, the scheme only netted the cyber criminals a modest reward, which was likely typical of such scams. “The money to be made on the low end is not enough to give you a rich lifestyle,” Haley said. “But on the plus side, it’s low maintenance. Once you get the business set up, there’s not a lot of work that goes into it.”