New “Chameleon” Botnet Could Be Costing Advertisers Up To $6 Million A Month

Botnets. To security researchers, they’re like digital Hydra. For each vicious head they lop off, another two explode from the stump.

Just a month ago, Microsoft and Symantec announced that they’d manage to take down the massive Bamital botnet, which is said to have been fakin’ clicks to the tune of around a million bucks a year. This new guy that just popped up? Six million. Per month., a security research/traffic analysis firm out of London, says they’ve been on this botnet’s trail since December of 2012. Dubbing it “Chameleon” (because of the many ways it hides), they’ve shared a whole stack of stats regarding this nasty thing’s behavior:

  • “Chameleon” appears to have around 120,000 computers under its control
  • It seems to only target Windows PCs
  • Unlike many (most) botnets before it, Chameleon is faking clicks to graphic/Flash ads — not just text ads.
  • The botnet appears to fake around 9 billion ad impressions per month, clicking through these ads with an easy-to-overlook rate of about 0.02%
  • About 95% of the infected PCs are residential systems (Read: Your grandma’s old Dell.)
  • The botnet is pulling down about 9 billion ad views per month. At an estimated rate of $0.69 per thousand views, that’s just over $6 million paid out for views without any actual eyeballs behind them.

As if the insanely high numbers weren’t enough, Chameleon also packs quite a few tricks up its sleeve to make it hard to detect/fight. It’s constantly moving the mouse around the page whenever the bot is surfing sans driver, which helps it sneak by any fraud-detection system that’s on the lookout for suspiciously robotic movements. It’s constantly running multiple concurrent sessions per visitor, and it’ll automatically reboot itself anytime once its slave sessions crash. Guh.

According to, Chameleon seems to be primarily focusing its trickery on 202 different websites. Which 202 websites? They don’t say — presumably because it implies that any one or all of those websites might be in on it, when that’s really just not the case. Any one who’s set to profit from this (or, hell, anyone who just wanted to flex their tech muscles and write a sophisticated botnet) could have put it together.

On the upside, has managed to pin down a list of what they say is 5,000 of the most active infected computers. On the downside, that’s.. you know, 5,000 out of 120,000 and counting. SAVE US, SYMANTEC.

[Photo Credit: D. Richard Hipp on Flickr under creative commons]