Financial Lower Bounds of Online Advertising Abuse

A Four Year Case Study of the TDSS/TDL4 Botnet
  • Yizheng ChenEmail author
  • Panagiotis Kintis
  • Manos Antonakakis
  • Yacin Nadji
  • David Dagon
  • Wenke Lee
  • Michael Farrell
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9721)


Online advertising is a complex on-line business, which has become the target of abuse. Recent charges filed from the United States Department of Justice against the operators of the DNSChanger botnet stated that the botnet operators stole approximately US $14 million [11, 18] over two years. Using monetization tactics similar to DNSChanger, several large botnets (i.e., ZeroAccess and TDSS/TDL4) abuse the ad ecosystem at scale. In order to understand the depth of the financial abuse problem, we need methods that will enable us to passively study large botnets and estimate the lower bounds of their financial abuse. In this paper we present a system, \(A^{2}S\), which is able to analyze one of the most complex, sophisticated, and long-lived botnets: TDSS/TDL4. Using passive datasets from a large Internet Service Provider in north America, we conservatively estimate lower bounds behind the financial abuse TDSS/TDL4 inflicted on the advertising ecosystem since 2010. Over its lifetime, less than 15 % of the botnet’s victims caused at least US$346 million in damages to advertisers due to impression fraud. TDSS/TDL4 abuse translates to an average US$340 thousand loss per day to advertisers, which is three times the ZeroAccess botnet [27] and more than ten times the DNSChanger botnet [2] estimates of fraud.



The authors would like to thank Dr. Brett Stone-Gross and Dag Liodden for their comments and feedback. This material is based upon work supported in part by the US Department of Commerce under grant no. 2106DEK and Georgia Tech Research Institute (GTRI) IRAD grant no. 21043091. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the US Department of Commerce nor GTRI.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Antonakakis, M., Demar, J., Stevens, K., Dagon, D.: Unveiling the Network Criminal Infrastructure of TDSS/TDL4 DGAv14: A case study on a new TDSS/TDL4 variant. Technical report, Damballa Inc., Georgia Institute of Technology (GTISC) (2012)Google Scholar
  5. 5.
    Blizard, T., Livic, N.: Click-fraud monetizing malware: a survey and case study. In: 2012 7th International Conference on Malicious and Unwanted Software (MALWARE), pp. 67–72. IEEE (2012)Google Scholar
  6. 6.
  7. 7.
    Bruneau, G., Wanner, R.: DNS Sinkhole. Technical report, SANS Institute InfoSec Reading Room, August 2010.
  8. 8.
    Bureau, I.A.: Viewability Has Arrived: What You Need To Know To See Through This Sea Change (2014).
  9. 9.
    Daswani, N., Stoppelman, M.: The anatomy of Clickbot.A. In: Proceedings of the First Conference on First Workshop on Hot Topics in Understanding Botnets, p. 11. USENIX Association (2007)Google Scholar
  10. 10.
    Dave, V., Guha, S., Zhang, Y.: Measuring and fingerprinting click-spam in ad networks. In: Proceedings of the ACM SIGCOMM 2012 Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication, pp. 175–186. ACM (2012)Google Scholar
  11. 11.
    FBI New York Field Office: Defendant Charged In Massive Internet Fraud Scheme Extradited From Estonia Appeared In Manhattan Federal Court, April 2012.
  12. 12.
  13. 13.
    Google: Ad traffic quality resource center.
  14. 14.
    Google: How Google uses conversion data.
  15. 15.
    Google: Just in time for the holidays – viewability across the google display network, December 2013.
  16. 16.
    Hyndman, R.J.: Transforming data with zeros (2010).
  17. 17.
    Kelleher, T.: How Microsoft advertising helps protect advertisers from invalid traffic.
  18. 18.
    LawFuel(ed.): Massive Internet Fraud Nets Extradicted Estonian Defendant at Least $14 Million, October 2014.
  19. 19.
    Li, Z., Zhang, K., Xie, Y., Yu, F., Wang, X.: Knowing your enemy: understanding and detecting malicious web advertising. In: Proceedings of the 2012 ACM Conference on Computer and Communications Security, pp. 674–686. ACM (2012)Google Scholar
  20. 20.
    Matrosov, A.: TDSS part 1 through 4 (2011).
  21. 21.
    Messaging Anti-Abuse Working Group and others: MAAWG Best Practices for the use of a Walled Garden, San Francisco, CA (2007)Google Scholar
  22. 22.
    Meyer, D., et al.: University of Oregon Route Views Project (2005)Google Scholar
  23. 23.
    Mockapetris, P.: Domain names - concepts and facilities (1987).
  24. 24.
    Mockapetris, P.: Domain names - implementation and specification (1987).
  25. 25.
    Neville, A.: Waledac reloaded: Trojan.rloader.b. (2013).
  26. 26.
    Parkour, M.: Collection of pcap files from malware analysis (2013).
  27. 27.
    Pearce, P., Dave, V., Grier, C., Levchenko, K., Guha, S., McCoy, D., Paxson, V., Savage, S., Voelker, G.M.: Characterizing large-scale click fraud in zeroaccess. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, CCS 2014, NY, USA, pp. 141–152. ACM, New York (2014).
  28. 28.
    Pelleg, D., Moore, A.W.: X-means: extending k-means with efficient estimation of the number of clusters. In: Proceedings of the Seventeenth International Conference on Machine Learning, ICML 2000, Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, pp. 727–734 (2000).
  29. 29.
    Rodionov, E., Matrosov, A.: The evolution of TDL: Conquering x64. ESET, June 2011Google Scholar
  30. 30.
    Rossow, C., Andriesse, D., Werner, T., Stone-Gross, B., Plohmann, D., Dietrich, C.J., Bos, H.: Sok: P2pwned-modeling and evaluating the resilience of peer-to-peer botnets. In: 2013 IEEE Symposium on Security and Privacy (SP), pp. 97–111. IEEE (2013)Google Scholar
  31. 31.
    Springborn, K., Barford, P.: Impression fraud in online advertising via pay-per-view networks. In: Proceedings of the 22nd USENIX Security Symposium (Washington, DC). Citeseer (2013)Google Scholar
  32. 32.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: analysis of a botnet takeover. In: Proceedings of the 16th ACM Conference on Computer and Communications Security, pp. 635–647. ACM (2009)Google Scholar
  33. 33.
    Stone-Gross, B., Stevens, R., Zarras, A., Kemmerer, R., Kruegel, C., Vigna, G.: Understanding fraudulent activities in online AD exchanges. In: Proceedings of the 2011 ACM SIGCOMM Conference on Internet Measurement Conference, pp. 279–294. ACM (2011)Google Scholar
  34. 34.
    Tuzhilin, A.: The lane’s gifts v. google report. Official Google Blog: Findings on invalid clicks, posted, pp. 1–47 (2006)Google Scholar
  35. 35.
    United States District Court: Sealed Indictment, October 2011.
  36. 36.
  37. 37.
    Zhang, Q., Ristenpart, T., Savage, S., Voelker, G.M.: Got traffic?: an evaluation of click traffic providers. In: Proceedings of the 2011 Joint WICOW/AIRWeb Workshop on Web Quality, pp. 19–26. ACM (2011)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Yizheng Chen
    • 1
    Email author
  • Panagiotis Kintis
    • 1
  • Manos Antonakakis
    • 2
  • Yacin Nadji
    • 1
  • David Dagon
    • 1
  • Wenke Lee
    • 1
  • Michael Farrell
    • 3
  1. 1.School of Computer ScienceGeorgia Institute of TechnologyAtlantaUSA
  2. 2.School of Electrical and Computer EngineeringGeorgia Institute of TechnologyAtlantaUSA
  3. 3.Institute for Internet Security and PrivacyGeorgia Institute of TechnologyAtlantaUSA

Personalised recommendations