tailieunhanh - The Anatomy of Clickbot.A

Programs written in this functional style are automati- cally parallelized and executed on a large cluster of com- modity machines. The run-time system takes care of the details of partitioning the input data, scheduling the pro- gram’s execution across a set of machines, handling ma- chine failures, and managing the required inter-machine communication. This allows programmers without any experience with parallel and distributed systems to eas- ily utilize the resources of a large distributed system. Our implementation of MapReduce runs on a large cluster of commodity machines and is highly scalable: a typical MapReduce computation processes many ter- abytes of data on thousands of machines. Programmers find the system easy to use: hundreds. | The Anatomy of Neil Daswani Michael Stoppelman and the Google Click Quality and Security Teams daswani mstoppelman @ Google Inc. Abstract This paper provides a detailed case study of the architecture of the botnet that attempted a low-noise click fraud attack against syndicated search engines. The botnet of over 100 000 machines was controlled using a HTTP-based botmas-ter. Google identified all clicks on its ads exhibiting patterns and marked them as invalid. We disclose the results of our investigation of this botnet to educate the security research community and provide information regarding the novelties of the attack. 1. Introduction This paper presents a detailed case study of the botnet. The botnet consisted of over 100 000 machines and exhibited some novel characteristics while also taking advantage of some characteristics of existing well-known botnets. One of the most novel characteristics of the clickbot is that it was built to conduct a low-noise click fraud attack against syndicated search engines. This paper focuses on describing the novel aspects of the botnet and describes parts of our experience in investigating it. For instance we describe how syndicated search engines work and how attacked such search engines. We believe that it is important to disclose the details of how such botnets work to help the security community in general build better defenses. In the case of the botnet described in this paper Google identified all clicks on its ads exhibiting patterns and marked them as invalid. had a generalized architecture that could be used to conduct click fraud against almost any search engine including but not limited to Google. While several major codebases for IRC-based bots such as RDbot and SDbot are used frequently in the miscreant community it is unclear if common codebases for HTTP-based botnets have emerged. Should s .