The Good, The bad & The Ugly: The Advertiser, the Bot & the Traffic Broker

Friday 7 October 12:00 - 12:30, Red room

Matthieu Faou (École Polytechnique de Montréal)
Joan Calvet (ESET)
Antoine Lemay (École Polytechnique de Montréal)
José Fernandez (École Polytechnique de Montréal)
Pierre-Marc Bureau (Google)

In recent years, online advertising fraud has become the prevalent monetizing strategy for botnets. It is a growing concern for the advertising industry as it threatens the business model of numerous websites, with losses to this kind of fraud estimated at $7 billion per year. Despite the fact that some of this malware, such as Boaxxe/Miuref and Ramdo/Redyms, have been operating for years and have been well documented, they continue to be able to defraud the advertising market. Accordingly, a better understanding on how they operate and new strategies for fighting them are needed.

In order to extract money from the advertising market, botnet operators sell their traffic to ad networks. The practice of buying and reselling traffic, i.e. arbitrage, is a common practice in the online publicity market, and therefore many intermediaries can appear between the botnet and the final advertisers. Thus, identifying the ecosystem formed by all the intermediaries is fundamental in order to find efficient strategies to mitigate this phenomenon, in a manner that is more effective and permanent than traditional malware detection and botnet take-downs.

In this paper we present the methods we have introduced and used to map this ecosystem. We detail how to reconstruct click-fraud redirection from network traces captured on malware-infected machines, a non-trivial technical problem. We will also explain our method for reconstructing the graph of intermediary actors in this ecosystem from these redirection chains.

Finally, we present the results of our study on the click-fraud malware Boaxxe/Miuref and Ramdo/Redyms. We compare the two ecosystems and show there are several important actors present in both of them. In particular, we will point out one particular Solution-as-a-Service ad network provider that seems to be the main actor in the two ecosystems, along with some other ad networks. This shows that an ecosystem disruption effort targeting few selected actors, by legal, technical or marketing means, could severely affect more than one malware family and could thus help reduce global click-fraud activity.

Click here for more details about the conference.


Matthieu Faou

Matthieu Faou is a graduate student in the Laboratoire de Sécurité des Systèmes d'Information (SecSI) at the École Polytechnique de Montréal, in Canada. His research interests focus on malware and especially on click fraud.


 Joan Calvet

Joan Calvet is a malware researcher working at ESET, where he is mainly involved with in-depth malware investigations. He defended his Ph.D. thesis in 2013, and has spoken at security conferences such as REcon, Virus Bulletin and DeepSec.



Pierre-Marc Bureau

Pierre-Marc Bureau is a software developer at Google. In his position, he analyses and investigates malware in order to identify effective techniques to counter these threats. Prior to joining Google, Pierre-Marc Bureau worked on malware research with Dell SecureWorks, and ESET. Pierre-Marc Bureau finished his Master's degree in computer engineering at École Polytechnique de Montréal. His studies focused mainly on the performance evaluation of malware. He has presented at various international conferences including REcon, BlackHat Europe,, and Virus Bulletin. His main interests lie in reverse engineering, application and network security.



 Antoine Lemay

Antoine Lemay is a researcher in the Department of Computer & Software Engineering at the École Polytechnique de Montréal, in Canada. His research interests include the security of industrial control systems, critical infrastructure protection, cybercrime ecosystems, and cyber conflict.


 José Fernandez

José M. Fernandez is an Associate Professor at the École Polytechnique de Montréal. There, he leads the Laboratoire de Sécurité des Systèmes d'Information (SecSI) where he conducts research on computer security.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.