Botnet caught red handed stealing from Google A recently discovered botnet has been caught siphoning ad revenue away from Google, Yahoo! and Bing and funneling it to smaller networks. According to researchers at Click Forensics, computers that are part of the so-called Bahama Botnet are infected with malware that sends them to counterfeit search pages instead of the real …
so all the searches appear to come from 1 IP Address? but google block IP Addresses making too many searches... (not sure about the others, but i assume they do too)
makes it kind of easy to block even if the traffic is below the threshold for automatic blocking - why don't they modify the page on the client instead to avoid that problem?
If you are in a botnet? F'ning windose is downloading an super important patch, i mean update no its adverts! As well as Adobe screwing with my flash environmen. Then I have some dumbass program that thinks it constantly needs updating or outhorizing. I cant tell good communication from bad, or control it. They deserve what happens.
As I understand it, all searches on compromised machines go through the one IP address, but that doesn't mean that that same IP address has to be the one that makes the queries to Google. Could be a multi-homed machine, could use proxies. Could even route the requests back through infected machines, for all that.
Are you even sure, though, that Google actually implements the system you're talking about? How would it handle large networks behind NAT gateways and IP address changes to said gateways?
No they are only controlled via that I.P all searches will still show from individual I.P address's that are already compromised by that bot.
To be honest this isnt anything new, search result hijacking is one of the newer methods of making money as the scareware industry starts losing a bit of steam.
I use a software firewall on My PC. I let nothing out unless I know exactly what it is and why it is connecting. I disable the running of any and all auto-update agents(Except Avast my AV program). I update everything manually from the developers website. More work yes. Secure? I don't know, there are a lot of people out there far smarter than I. At least I give myself the illusion of control and security. As an added measure I will, if I suspect something nefarious, connect my box to the internet via Honeywall and sniff every single packet during start up and the first 5 or so minutes of runtime, I check every IP address windoze connects to and inside each packet that passes that I haven't initiated. I can see the LED's on my switch, any random activity on the port connected to my router also raises my suspicions.
Paranoid maybe... My last infection was the Saddam virus on my Amiga.
Of course I only do this for my XP install. My OpenBSD and Ubuntu machines, up until now, allow me to sleep like a baby. I would expect that to change WHEN Linux becomes the dominant OS.
Oh they do it all right, the company I work for decided to consolidate all it's European proxy traffic through a host in Germany.
Most lunchtimes you get caught by a CAPTCHA, and our internal helpdesk gets hit with calls that the internets are broked.
There is also the constant complaint by the same users that the results page comes up as google.de rather than .com
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
